Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I'm hitting a (fire?)wall

    Routing and Multi WAN
    2
    3
    612
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sensewolf
      last edited by

      Hi,

      So I have pfSense up and running with several local networks (LNx) but so far only one gateway (GW1).

      Now I need to add a second gateway (GW2) for one of the local networks (LNy) only, i.e. the internet traffic from the all the local networks should still go through GW1 except internet traffic from LNy should go through GW2.

      GW2 sits on an OpenVPN (client) end point - not sure, if that is important (I set up the VPN as per the provider's instructions and the VPN is shown as "up" and GW2 as "online". I deviated from the instructions in that I disabled "pull routes" because this would, as I understand, set a route through GW2 for all internet traffic. But now there is no route sending traffic through GW2. And I also did not apply all those settings to protect my privacy as this VPN is not about privacy but just getting another public IP address).

      I thought I would create a static route but it looks like I can only differentiate according to the destination of my traffic - whereas I need to differentiate according to its source.

      Then I tried to set a firewall rule for the interface of LNy that would send all traffic originating on LNy through GW2 but when I do that, LNy is not able to reach the outside world anymore.

      So something still seems to be missing. I tried adding a mapping under Outbound NAT for LNy sourced traffic with GW2 as the NAT address - long shot, maybe totally off mark...

      But what am I missing???

      Many thanks.

      N 1 Reply Last reply Reply Quote 0
      • N
        netblues @sensewolf
        last edited by

        @sensewolf said in I'm hitting a (fire?)wall:

        Then I tried to set a firewall rule for the interface of LNy that would send all traffic originating on LNy through GW2 but when I do that, LNy is not able to reach the outside world anymore.

        Thats the correct way of doing it.
        However, this will only send packets coming from the specific interface to the gateway specified.

        The issue is that the receiving end (ie the remote vpn server) should be able to nat and forward the packets arriving, which isn't always the case.

        This can be done either by adjusting inside nat ip's allowed (with admin access at the vpn server)
        or natting internal ip's to the one internal vpn supplied.

        S 1 Reply Last reply Reply Quote 0
        • S
          sensewolf @netblues
          last edited by

          @netblues

          So I got it working now. There were two things wrong:

          I did have that Outbound NAT setting you suggested (it was part of the provider's instructions). But where the instructions said to use "192.168.1.1" I had put "192.168.1.0" (actually, I have a different subnet, but I had put a"0" instead of "1").

          And I changed the firewall rule to direct the subnet's traffic through the gateway. Instead of choosing source "LNy", I had chosen source "VPN" - that one clearly was a main culprit.

          Thanks for your help!!!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.