Unable to route through backup WAN
-
You need to add an Outbound NAT rule to the CELLULAR interface for the Guest network. Ensure that the outbound NAT is working in hybrid or manual mode.
And you need to add a policy routing rule to the GUEST interface where you state the CELLULAR gateway and put this rule to the top of the rule set to ensure it's applied.
Good advise is to add an alias for RFC1918 networks and use this alias as destination combined with "invert" checked in this rule. So that rule will only be applied on upstream traffic.Consider that you may need additional rules for allowing access to internal services like DNS in case you provide the pfSense IP as DNS server.
If it doesn't work, post screenshots of your outbound NAT rules and the GUEST rules.
-
Thank you for your response.
I have seriously done exactly like you mentioned in your post even before asking for help on the forum and it is not working. i have now posted the screenshots in my response. I even tried the invert rule and that did not work either. my suspicion is that for some weird reason, the traffic from GUEST subnet (10.55.55.0/24) just does not want to be routed through the CELLULAR gateway. I am really pulling my hair out on this one.
-
@himanshus
Are you able to resolve public hostnames on the GUEST network?The rule on GUEST is obviously not applied. Check the firewall log to see which rule is applied
Do you have floating rules? -
From the Guest network subnet, i am not able to ping any public IP or resolve any hostnames. there are no floating rules in the system. where should i look in the logs to see which rule is applied? thank you
-
You have have to enable logging in each unique firewall rule, then try to access some internet resources and check System > Log > Firewall,
-
i was able to enable logging, and found out that the traffic from GUEST network is being routed from WAN interface, despite of there being an outbound rule that specifically says traffic from GUEST should be routed via CELLULAR interface.
i am suspecting that this is a routing problem in PfSense. CELLULAR interface on PfSense has an DHCP IP of 192.168.5.30 and a gateway IP of 192.168.5.1 assigned by the cellular modem and PfSense may be assuming this is a local subnet and therefore there is no routing between the GUEST network (10.55.55.0/24) to the 192.168.5.30 ..
i am stuck there!
-
The routing is not done by outbound NAT rules, it should be done by the policy routing rules.
That issue seems very strange. To investigate what happens, please take some Packet capture in pfSense Diagnostic menu.
Ensure that the CELLULAR gateway is shown as up.
Take a capture on the GUEST interface while you try to access a specific public site. You may filter for that destination.
Then take a capture on CELLULAR and also on WAN and post all results, please. -
I tried to do packet capture, interestingly - there is absolutely NO packets that are being captured on the GUEST interface. i even tried to change the policy based routing to route the traffic from GUEST network through the default WAN, and then i do receive successful ping response (using diagnostic, ping, source: GUEST) - but even then there is no packet being captured on the GUEST interface.
i am able to capture packets on the WAN, CELLULAR interfaces, but simply no packets are being captured on the GUEST interface - no matter what i tried. this is pretty weird i guess
-
hello viragoman,
After a reboot, I had to do a bunch of tests again, and i have finally verified that it is working now. it was definitely confusing but i am pretty confident that it is working now.
thank you for all your help with this.
-
Okay, that issue were going pretty weird already.
You can simply check your public IP by going to https://whatismyipaddress.com or something like that in the clients browser.