Directing outbound traffic
-
I have pfsense running on a M400. I have 3 WANs and 3 LANs
I have 3 static IP coming into the M400 and I have 3 LANs attached to the M400
Call them WAN0, WAN1, WAN2 and LAN0, LAN1, LAN2
I can direct the incoming traffic on the M400 to specific LAN thru port forwarding
How do I make traffic from one LAN be outbound on a specific IP address?
For example, how do I configure pfsense so all LAN1 outbound traffic goes out WAN1?
Thanks!
-
Edit the firewall rule that allows the internet access for LAN1, click in Display Advanced, then select the gateway you want.
Doing that will disrupt traffic from LAN1 to the other LANs.
To allow LAN1 to reach LAN2 for instance, you would need to create a firewall rule allowing that connection, and put this rule above the rule created with the gateway set, in this example WAN1
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html
-
Perfecto!! Thank You. Things are soo easy when you have done them once!
-
@pfsense1921 You are welcome.
Just remember that the only rule with a gateway set will be for the Internet access.
Other rules for internal connectivity between LANs, leave the gateway default. -
@mcury
I just ran a little test. LAN1 and LAN2, when I open up a browser on those PCs, and go to whatismyip, it shows WAN0 for both? Any ideas? -
@pfsense1921 If you created the rules correctly, it should be working..
It may be necessary to clear the states for that to work.. Go to Diagnostics / States / States, enter the client IP in the field, filter then kill states... After that try again.If that doesn't work, post your firewall rules.
-
Thank you. I cleared the states, same issue.
I dont think this is a pfsense problem, I think it is AT&T.
I have business fiber ISP with 5 static IPs, I am using 3 of those. In Pfsense they show the IP address they should be. I even disconnected WAN0, cleared tables and never connected WAN0, but all my LAN1 and LAN2 always show my public IP Address as WAN0. Weird.
Any ideas how to explain this to the AT&T techs?
-
@pfsense1921 hm, I thought that were 3 different ISPs.. So you have a /29 in your WAN, and pfsense is getting 3 IPs from the same subnet in WAN0, WAN1 and WAN2?
Check if this can help you:
https://docs.netgate.com/pfsense/en/latest/firewall/additional-ip-addresses.htmlIf this can't help you, unfortunately we will have to wait for someone else to help you because I don't have experience with AT&T..
-
-
@pfsense1921
Setting default gateway to none, that did not fix it, not 100%. it improved some things, but not all.If I connect a pc directly up to the ATT ports where WAN1 and WAN2 ports are connected. When I check "whatismyip" from that PC they come back with the ip address for WAN1 and WAN2 like we expect.
When I connect the M400 with Pfsense to those WAN as previously described, PC on those LAN checking whatismyip still show WAN0 ip.
I am sure this is a simple setting I am missing. I can post all the settings if someone is interested. Thanks
-
@pfsense1921
So are all your WANs using the same common gateway?
If so, policy routing won't work, cause it's based on the gateway.You need to configure the outbound NAT to translate the source address in outgoing packets as desired.
If you outbound NAT is working in automatic mode, switch to hybrid mode first and save that. Then add a new rule to the top:
interface: outgoing WAN
protocol: any
source: LAN1 net
dest: any
translation address: select the WAN1 address from the drop-down
This requires, that WAN1 is already assigned to the interface. If not, you can select "other" and enter the IP below with a /32 mask. -
@viragomann
That option for the source was not available. Also, when I choose Hybrid with auto it made rules to allow everything everywhere so I made it all manual. I got more to work, but still have one strange issue. I am temporarily going to post all my details. (There is nothing on these networks yet, but don't think I am sharing any security details.)So, From the diagram linked to below, LAN_Email <--> WAN10 I can ping everywhere, ping www.google.com success. But I can not browse anywhere from any pc. (I can move that PC to LAN_office and LAN_web and everything works. )
To me this says I have some setting wrong in pfsense. The link below has many screenshots of my pfsense config. I am sure I am missing something simple. I have reset states and rebooted several times. Thanks for your help, I just can not find the issue.
http://salesleads.live/zup/network.pdf
-
@pfsense1921
The outbound NAT rules don't allow anything, they only do S-NAT (masquerading) on traffic that is allowed by your firewall rules.When you run it in hybrid mode, you can add custom rules, while you keep the automatic rules. Custom rules which match to the same traffic overrides the automatically generated.
From the diagram linked to below
Maybe you want to hide your WAN IPs.
LAN_Email <--> WAN10 I can ping everywhere, ping www.google.com success. But I can not browse anywhere from any pc. (I can move that PC to LAN_office and LAN_web and everything works. )
You need to allow DNS access for this devices. The rules on the interface only allow HTTP and HTTPS.
You have also to obey this when you add a policy routing rule to allow any, but your devices are configured to use pfSense or any other internal DNS. @mcury mentioned this already above.
I set up a floating rule to aim this with a single rule on all interfaces.
-
@viragomann
Thank You (Plan to remove the file soon)I will add the DNS now, the other LANs work without the DNS listed
LAN_Office <--> WAN9 works no DNS listed
LAN_Web <--> WAN11 works no DNS listedLAN_Email <--> WAN10 Not working no DNS listed.
Added DNS
LAN_Email <--> WAN10 Not working with DNS listed.
Here was how I added DNS:
-
@pfsense1921 said in Directing outbound traffic:
@viragomann
Thank You (Plan to remove the file soon)I will add the DNS now, the other LANs work without the DNS listed
LAN_Office <--> WAN9 works no DNS listed
LAN_Web <--> WAN11 works no DNS listedLAN_Email <--> WAN10 Not working no DNS listed.
Added DNS
LAN_Email <--> WAN10 Not working with DNS listed.
Here was how I added DNS:
DNS/53 should be TCP/UDP, 99,99% of times it will use UDP, but sometimes it can use TCP.
-
@pfsense1921
The LAN_Office and LAN_Web can ping everywhere and browse internetThe LAN_Email can ping everywhere but Not browse internet
Also disabled the offloading:
-
@mcury
Thanks. Made the change, still did not work. Here is how it is now:
-
Open a prompt MS DOS in a machine from the LAN_Email network.
Type nslookup press enter, then google.com and press enter and confirm if DNS is working. -
@mcury
It looks like it works, (Does "ping www.google.com" provide a similar test of dns?)
I can move the PC from lan_email to either lan_web or lan_office and browsing works.
And vice versa, no browsing on lan_email. I feel like deleting everything and starting over which would probably be faster, but now I want to learn what the problem is.Thanks for the help.
-
Very Odd this is. I can not pin point where the problem is.
IF, I only connect one WAN to pfsense, the corresponding LAN works.
I can do this with any WAN, All three LAN work, but only one at a time.
(Tested with all 3 static IP, and moved them around)IF I connect two WAN, the two corresponding LANs work perfect.
Again, I can do this with any combo of two WANEverything seems to be working properly. IF your corresponding WAN is not connected, you can Not ping outside your LAN.
Now, when I connect the third LAN everything goes to crap. I loose one LAN and sometimes two LAN.
How would I prove/find if the problem is with pfsense OR ATT. I have 5 public static IP addresses, I am only using 3. Those tests can prove that both systems are working, neither can prove which one is having the problem. Something is crapping when all 3 LAN are connected.
