Dual LAN gateway "split tunnel" client?


  • I am trying to determine how to configure pfSense so that the LAN has 2 gateways in the same subnet. I was thinking of using a virtual IP for the second one. Depending on which gateway a LAN device/application uses, it will route to one of 2 VPN tunnels.
    Any suggestions on how to accomplish this?
    Is this even possible?
    Thanks.


  • This is what I've tried:

    VLANs
    em1 (lan) 10 VLAN for VPN to VPS routing

    Interfaces: VPS_VLAN VLAN 10 on em1 – lan (VLAN for VPN to VPS routing) > (Static IPv4) 192.168.2.1/30
    Added: IPv4 Upstream gateway: VPS_VLAN_GW - 192.168.2.1
    For Route results below.

    NAT: VPS_VLAN 192.168.0.0/22 * * * VPS_VLAN address

    Virtual IP (CARP) >> MAC [00:00:5e:00:01:01]
    192.168.0.8/32 (vhid: 1) LAN CARP LAN Virtual IP with unique MAC using CARP
    Ping >> Reply from 192.168.0.8: bytes=32 time=1ms TTL=64
    Arping.exe >> Reply from 192.168.0.8 [00:00:5e:00:01:01] 1.000ms index=1

    Virtual IP (IP Alias):
    192.168.2.1/32 VPS_VLAN IP Alias VLAN Virtual IP
    Ping >> Reply from 192.168.2.1: bytes=32 time=1ms TTL=64
    Arping.exe >> Arping index=1 : ARP request time out

    Gateway
    VPS_VLAN_GW VPS_VLAN 192.168.2.1 Internal VLAN gateway for access to VPS's VPN

    Gateway Static Route:
    192.168.0.8/32 VPS_VLAN_GW - 192.168.2.1 VPS_VLAN Gateway mapping to LAN address

    1:1 NAT: LAN(interface) 192.168.0.8(External IP) 192.168.2.1(Internal IP) *(Dest IP) Tie the two together (redundant?)

    Applicable Route table entries: (link#2 is the LAN, or em1)
    192.168.0.8 link#2 UHS 0 16384 lo0
    192.168.0.8/32 192.168.2.1 UGS 0 1500 em1

    Since the gateway address is used by a LAN PC to perform an ARP who-has to get the MAC address for the ETH packet to send it to the gateway. I used a CARP VIP to create a new MAC, so it would be different than the default LAN gateway MAC.
    Is this MAC not used be pfSense for this process?

    Also, are the 2 route entries in the wrong order for proper routing?
    I setup a PC using a static IP and set its Gateway to 192.168.0.8 and DNS to 192.168.0.1 (default gateway), yet no traffic ever appears on the VPS_VLAN. I added an early floating rule for VPS_VLAN to just log all traffic. No log entries generated.

    Is there a way to get this working?
    What did I mess up?


  • Not really understanding what you try to achieve and what you're describing about your settings.

    @wtw said in Dual LAN gateway "split tunnel" client?:

    I am trying to determine how to configure pfSense so that the LAN has 2 gateways in the same subnet. I was thinking of using a virtual IP for the second one.

    Two gateways, both on pfSense? On the same interface?

    The only useful sense of heaving multiple IPs on a single interface is for NAT purposes in pfSense.

    Depending on which gateway a LAN device/application uses, it will route to one of 2 VPN tunnels.

    Something like that can be done by policy routing.

    Maybe a drawing could shed some light.


  • @viragomann
    Some screen shots:
    ![alt text](fd0267dd-d2f4-4410-81d7-bd2410fcd7b5-image.png image url)

    The goal is to selectively route, based on specific Windows applications, that application's traffic to a different gateway other than the default gateway (application based split tunnel). I have code to alter the application's gateway connection to a different IP. So, preferably both gateways on the same LAN subnet would work, though Windows makes using a gateway on a different subnet relatively easy. There will be only one default gateway and only one gateway specified on the PC LAN interface. So, no problem there. Only the application will have its traffic re-routed.

    I failed to get a second subnet working on the LAN; 2 subnets on the same pfSense LAN interface. That may be an easier solution.

    Right now, anything on the LAN going to the default gateway goes through a VPN. That is working well. The second VPN is also working, but only if I create a device specific rule with policy routing. That makes everything on that device use the other VPN - not desired.

    There needs to be 2 separate access points that any device can use to route traffic through one VPN or the other. Each VPN has different remote servers.

    Does this clarify what I'm trying to achieve?
    Thanks for replying. Let me know if there is a better solution.


  • @wtw
    It won't work that way. You've add a virtual IP on pfSense and try to route this with a static route. But the network you state in the static route is the destination network of packets, not the interface IP.

    You may go with policy routing if you can differ the traffic based on one of these characteristics:

    • protocol
    • source IP
    • source port
    • destination IP
    • destination port

    So possibly it's an option to assign a second IP two the Windows PC and let the specific application use this one as source.

    If that is not possible for your purpose, it should be doable if you assign two VLANs on the Windows computer and pfSense, so you have two different interfaces and gateways on the router and can direct the specific application traffic to the other gateway.


  • @viragomann Thanks for the reply
    Unfortunately, policy routing is not an option since this needs to work like a proxy, but without the limitations; so any protocol, source IP, port, or destination IP.

    What I am trying to create is:
    192.168.0.8 as a gateway on the pfSense LAN, but it needs its own MAC for it to behave like a gateway. The default LAN gateway is 192.168.0.1 and has the pfSense LAN MAC address, as do all IP aliases, though not CARP.
    I am not familiar with CARP and if this is an appropriate use for it.
    The VLAN creates an interface, which needed to be NATed to 192.168.0.8 to pass the traffic.
    I can then use policy routing to transfer the VLAN to the VPN tunnel.
    I do not understand the problem with the static route. The "Network" is labeled destination network on the config page. The "Gateway" is the interface (VLAN) gateway it needs to route to. Isn't that how it is supposed to work?
    I don't know if the 1:1 NAT is appropriate.
    Not being a networking expert, I am not sure about some of these steps.


  • @viragomann
    It appears that my strategy does contain a fatal flaw. I need to use a virtual NIC, not a VLAN to create a second gateway on a separate subnet?
    And bridge the two LANs so devices can access each other's devices, including gateways?
    One LAN would have DHCP, the other static only, since it really has no devices, just the gateway.
    Is this an appropriate strategy to create 2 LAN side gateways?


  • @viragomann
    I believe I found what I'm looking for. I have pfSense running in KVM under Ubuntu. I am going to use Libvirt to create 2 MacVTaps, instead of using a brctl bridge for the LAN connection. This should also be a faster connection than the linux bridge, according to some web articles.
    This is not a pfSense config issue, so may not be appropriate for this forum.