Bandwidth Limiter does not work when Specific Gateway defined under DHCP

johnpoz · Sep 5, 2020, 4:44 PM

Did you create the network on opt1? Its no different..

Do you have another interface to use on pfsense, will you be using vlans via a switch?

sanketgroup · Sep 5, 2020, 5:10 PM

@johnpoz said in Bandwidth Limiter does not work when Specific Gateway defined under DHCP:

Do you have another interface to use on pfsense, will you be using vlans via a switch?

I don't have extra interface. I guess I have to create VLAN interface in that case, correct?

Lets say OPT2 with (192.168.0) and then create rule same as OPT1? Pass any source any destination any protocol?

So, IP of 3 interface would be
LAN1: 192.168.1.1/24
OPT1: 10.5.20.1/24
OPT2: 192.168.0.1/24

setup OPT2 DHCP and clients get IP with 192.168.0.1 gateway.

Then any rule or NAT to transfer OPT2 traffic to OPT1 UTM?

sanketgroup · Sep 7, 2020, 6:16 PM

@johnpoz
Can you pls guide for above?
Thanks

stephenw10 · Sep 7, 2020, 9:02 PM

Yes. You will need to policy route that traffic to the UTM gateway though as well.

You could also use a failover gateway group so it client still have access if the UTM fails if needed:
https://docs.netgate.com/pfsense/en/latest/book/multiwan/policy-routing-configuration.html

Steve

johnpoz · Sep 7, 2020, 10:24 PM

@sanketgroup said in Bandwidth Limiter does not work when Specific Gateway defined under DHCP:

Then any rule or NAT to transfer OPT2 traffic to OPT1 UTM?

Policy route would be needed to send them out the utm, whoever you want to go there be it lan or opt1 network.

As to outbound natting the traffic - would depend if utm is going to nat them out to the internet, do you have access to utm to setup the return route. If not then yeah you would have to nat.

stephenw10 · Sep 7, 2020, 10:56 PM

Yup it would be much nicer to NAT in the UTM so that it can see the internal client IPs and filter/log accordingly. But to do that you would need to add a static route to the UTM and if you have no access that's not an option.

Steve

sanketgroup · Sep 8, 2020, 2:47 PM

I tried to create rule as shown in screenshot below.
But still DHCP clients on OPT1 are getting internet from PFSense instead of UTM.

DHCP Clients and UTM are on subnet.

PFSense DHCP Clients: 10.5.20.50-100
UTM: 10.5.20.2 (And it does NAT)

i.e if I manual type in gateway as 10.5.20.2 (UTM IP) clients get Internet from UTM.
But PFSense DHCP clients get internet from PFSense even after rules shown in Scerenshot.

I might be wrong with rules. Pls guide.

Thanks

johnpoz · Sep 8, 2020, 3:21 PM

That is not a policy route.. So no that wouldn't work!

And you have opt network on the same network as UTM? Already went over that would be asymmetrical.

Change your clients to a different network than this 10.5.20 network.. Use that 10.5.20 as your transit and policy route with a outbound nat.

Even if your UTM some other network, how would it know how to route back via pfsense to get to this other network.

sanketgroup · Sep 8, 2020, 4:25 PM

Thanks for bearing with me and guiding me without any displeasure

Correct, my mistake for not setting up separate interface for DHCP.
Cannot create VLAN as PFSense is on VMWare workstation and On-board LAN card does not support Intel Teaming (Virtual adapter)
So I will have to arrange extra LAN port.

If i am able to manage setting up return route on UTM then setup would be like this:

OPT1: 192.168.0.1 (DHCP: 192.168.0.50-100)
OPT2: 10.5.20.1

Create Rule on OPT1:
Action = Pass /// Interface = OPT1 /// Source = OPT1 net /// question: Destination = shall it be Single Host (UTM 10.5.20.2) or OPT2 net

=============
If I am not able to create return path on UTM then create NAT in PFSense as follow:

Make OPT2 as WAN2 Port and create NAT between OPT1 and WAN2/OPT2

johnpoz · Sep 8, 2020, 4:46 PM

@sanketgroup said in Bandwidth Limiter does not work when Specific Gateway defined under DHCP:

Action = Pass /// Interface = OPT1 /// Source = OPT1 net /// question: Destination = shall it be Single Host (UTM 10.5.20.2) or OPT2 net

That is not a policy route.. You have to select gateway in the rule if you want to route. 10.5.20.2 would be setup as a gateway in pfsense. Did you read the link provided?

You would then be able to create an outbound nat for it.. Hybrid is all that is needed.

As to your whatever your workstation does for cards and teaming - that has zero to do with vm passing tags or not passing tags for a vlan.. But sure if you want to create another vm nic and do it that way that works too.. How you do vlans and do your connections have little to do with the logistics of the network. Pfsense doesn't care if its a vlan or a native interface.. How you tie that to the physical world is up to you.