Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    only allow access to Internet via single gateway

    Scheduled Pinned Locked Moved Routing and Multi WAN
    8 Posts 3 Posters 815 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett
      last edited by

      I am attempting to only allow access to the Internet via a single WAN connection.

      I have the default gateway set to use a group with two circuits to ensure that the firewall itself always has a connection.

      c4.png

      I created an "RFC1918" alias that should represent internal traffic.

      c2.png

      I have a Gateway group that only has my primary circuit in it.

      c3.png

      And a rule that should (in my mind) match any Internet bound traffic and force it to go over said gateway.

      c1.png

      Unfortunately, this doesn't seem to work, and a number of devices on the internal network are able to make outbound connections over the backup circuit.

      What am I missing? Is there a better way to do this?

      S A 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire @coreybrett
        last edited by

        @coreybrett I think you're missing the block rule:
        https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#enforcing-gateway-use

        "LAN to any" will also pick up traffic from LAN to other interfaces or pfSense itself.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • C
          coreybrett
          last edited by

          Wow, not sure how I missed that in the docs. Thanks!

          1 Reply Last reply Reply Quote 0
          • A
            ahsunh @coreybrett
            last edited by

            @coreybrett disable your last rule which gateway any any

            or coaxonly do not use rfc1918 traffic use any any

            C 1 Reply Last reply Reply Quote 0
            • C
              coreybrett @ahsunh
              last edited by

              I'm using the RFC1981 alias to block Internet traffic, without blocking traffic for other LAN networks

              A 2 Replies Last reply Reply Quote 0
              • A
                ahsunh @coreybrett
                last edited by

                @coreybrett so on last rule set your specific gateway route

                thanks

                C 1 Reply Last reply Reply Quote 0
                • A
                  ahsunh @coreybrett
                  last edited by

                  @coreybrett RFC is mostly uses on WAN side not on lan side due to some issues like syslog or other reporting gateway on LAN

                  thanks

                  1 Reply Last reply Reply Quote 0
                  • C
                    coreybrett @ahsunh
                    last edited by

                    @ahsunh said in only allow access to Internet via single gateway:

                    @coreybrett so on last rule set your specific gateway route

                    thanks

                    I've tried that in the past, but it breaks inter LAN traffic. Using the suggested fix from SteveITS seems to have done the trick for me.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.