Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to route through backup WAN

    Routing and Multi WAN
    2
    11
    760
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann
      last edited by

      You need to add an Outbound NAT rule to the CELLULAR interface for the Guest network. Ensure that the outbound NAT is working in hybrid or manual mode.

      And you need to add a policy routing rule to the GUEST interface where you state the CELLULAR gateway and put this rule to the top of the rule set to ensure it's applied.
      Good advise is to add an alias for RFC1918 networks and use this alias as destination combined with "invert" checked in this rule. So that rule will only be applied on upstream traffic.

      Consider that you may need additional rules for allowing access to internal services like DNS in case you provide the pfSense IP as DNS server.

      If it doesn't work, post screenshots of your outbound NAT rules and the GUEST rules.

      1 Reply Last reply Reply Quote 0
      • H
        himanshus
        last edited by himanshus

        Thank you for your response.
        I have seriously done exactly like you mentioned in your post even before asking for help on the forum and it is not working. i have now posted the screenshots in my response. I even tried the invert rule and that did not work either. my suspicion is that for some weird reason, the traffic from GUEST subnet (10.55.55.0/24) just does not want to be routed through the CELLULAR gateway. I am really pulling my hair out on this one.

        PfSense2.png PfSense1.png
        PfSense4.png PfSense3.png

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @himanshus
          last edited by viragomann

          @himanshus
          Are you able to resolve public hostnames on the GUEST network?

          The rule on GUEST is obviously not applied. Check the firewall log to see which rule is applied
          Do you have floating rules?

          1 Reply Last reply Reply Quote 0
          • H
            himanshus
            last edited by

            From the Guest network subnet, i am not able to ping any public IP or resolve any hostnames. there are no floating rules in the system. where should i look in the logs to see which rule is applied? thank you

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              You have have to enable logging in each unique firewall rule, then try to access some internet resources and check System > Log > Firewall,

              1 Reply Last reply Reply Quote 0
              • H
                himanshus
                last edited by himanshus

                i was able to enable logging, and found out that the traffic from GUEST network is being routed from WAN interface, despite of there being an outbound rule that specifically says traffic from GUEST should be routed via CELLULAR interface.

                i am suspecting that this is a routing problem in PfSense. CELLULAR interface on PfSense has an DHCP IP of 192.168.5.30 and a gateway IP of 192.168.5.1 assigned by the cellular modem and PfSense may be assuming this is a local subnet and therefore there is no routing between the GUEST network (10.55.55.0/24) to the 192.168.5.30 ..

                i am stuck there!

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @himanshus
                  last edited by viragomann

                  The routing is not done by outbound NAT rules, it should be done by the policy routing rules.

                  That issue seems very strange. To investigate what happens, please take some Packet capture in pfSense Diagnostic menu.
                  Ensure that the CELLULAR gateway is shown as up.
                  Take a capture on the GUEST interface while you try to access a specific public site. You may filter for that destination.
                  Then take a capture on CELLULAR and also on WAN and post all results, please.

                  1 Reply Last reply Reply Quote 0
                  • H
                    himanshus
                    last edited by

                    I tried to do packet capture, interestingly - there is absolutely NO packets that are being captured on the GUEST interface. i even tried to change the policy based routing to route the traffic from GUEST network through the default WAN, and then i do receive successful ping response (using diagnostic, ping, source: GUEST) - but even then there is no packet being captured on the GUEST interface.

                    i am able to capture packets on the WAN, CELLULAR interfaces, but simply no packets are being captured on the GUEST interface - no matter what i tried. this is pretty weird i guess

                    1 Reply Last reply Reply Quote 0
                    • H
                      himanshus
                      last edited by himanshus

                      hello viragoman,

                      After a reboot, I had to do a bunch of tests again, and i have finally verified that it is working now. it was definitely confusing but i am pretty confident that it is working now.

                      thank you for all your help with this.

                      1 Reply Last reply Reply Quote 0
                      • V
                        viragomann
                        last edited by

                        Okay, that issue were going pretty weird already.

                        You can simply check your public IP by going to https://whatismyipaddress.com or something like that in the clients browser.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.