• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

How to force a client to only have access to WAN1?

Scheduled Pinned Locked Moved Routing and Multi WAN
4 Posts 2 Posters 227 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    m0j0
    last edited by Apr 19, 2024, 5:43 AM

    Thank you for reading my post. I'm not sure what it is I am doing wrong. I have a multi-wan setup on pfsense 2.7.2 freshly installed. Both WAN 1 and 2 are PPPOE connections. I have an alias group setup called "maxis__only" which contains clients I would like to only be able to use WAN1 which is maxis. However when I disconnect the maxis WAN under interfaces, the clients on "maxis__only" still have internet and when accessing ipinfo it shows that they have indeed been failed over to WAN2. Here are pictures of my setup
    2024-04-19_131715.jpg
    .
    2024-04-19_131728.jpg
    .
    2024-04-19_133038.jpg
    .
    Here are the /tmp/rules.debug before disconnecting WAN1

    set hostid 0x07eb9aa0
set limit table-entries 400000
set optimization normal
set limit states 6514000
set limit src-nodes 6514000

#System aliases
  
loopback = "{ lo0 }"
LAN = "{ em2 }"
table <LAN__NETWORK> persist { 192.168.1.0/24 }
LAN__NETWORK = "<LAN__NETWORK>"
WAN2 = "{ pppoe1 }"
table <OPT1__NETWORK> persist { 175.###.#.##/32 }
OPT1__NETWORK = "<OPT1__NETWORK>"

#SSH Lockout Table
table <sshguard> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"

# User Aliases 
table <maxis__only> {   192.168.1.49  192.168.1.52  192.168.1.107 } 
maxis__only = "<maxis__only>"
table <tmnet__only> {   192.168.1.48  192.168.1.53 } 
tmnet__only = "<tmnet__only>"
 
# Gateways
GWWAN_PPPOE = "  "
GWWAN2_PPPOE = " route-to ( pppoe1 175.###.#.### ) "
GWT1M2 = "  route-to { ( pppoe1 175.###.#.### )  }  "
GWM1T2 = "  route-to { ( pppoe1 175.###.#.### )  }  "

 
set loginterface em2

set skip on pfsync0
set keepcounters

scrub from any to <vpn_networks>   fragment no reassemble
scrub from <vpn_networks> to any   fragment no reassemble
scrub on $LAN inet all    fragment reassemble
scrub on $LAN inet6 all    fragment reassemble
scrub on $WAN2 inet all    fragment reassemble
scrub on $WAN2 inet6 all    fragment reassemble


no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"


# Outbound NAT rules (automatic)

# Subnets to NAT 
tonatsubnets	= "{ 127.0.0.0/8 ::1/128 192.168.1.0/24 }"
nat on $WAN2 inet from $tonatsubnets to any port 500 -> 175.###.#.##/32  static-port
nat on $WAN2 inet6 from $tonatsubnets to any port 500 -> (pppoe1)  static-port
nat on $WAN2 inet from $tonatsubnets to any -> 175.###.#.##/32 port 1024:65535 
nat on $WAN2 inet6 from $tonatsubnets to any -> (pppoe1) port 1024:65535 
# TFTP proxy
rdr-anchor "tftp-proxy/*"
# NAT Inbound Redirects
rdr on pppoe1 inet proto tcp from any to 175.###.#.## port 80 -> 192.168.1.48
rdr on pppoe1 inet proto tcp from any to 175.###.#.## port 443 -> 192.168.1.48
rdr on pppoe1 inet proto { tcp udp } from any to 175.###.#.## port 6885 -> 192.168.1.107
rdr on pppoe1 inet proto { tcp udp } from any to 175.###.#.## port 6886 -> 192.168.1.51
rdr on pppoe1 inet proto { tcp udp } from any to 175.###.#.## port 6888 -> 192.168.1.57

anchor "openvpn/*"
anchor "ipsec/*"
# Allow IPv6 on loopback
pass in  quick on $loopback inet6 all ridentifier 1000000001 label "pass IPv6 loopback"
pass out  quick on $loopback inet6 all ridentifier 1000000002 label "pass IPv6 loopback"
# Block all IPv6
block in log quick inet6 all ridentifier 1000000003 label "Block all IPv6"
block out log quick inet6 all ridentifier 1000000004 label "Block all IPv6"
# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
# route-to can override that, causing problems such as in redmine #2073
block in log quick from 169.254.0.0/16 to any ridentifier 1000000101 label "Block IPv4 link-local"
block in log quick from any to 169.254.0.0/16 ridentifier 1000000102 label "Block IPv4 link-local"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all ridentifier 1000000103 label "Default deny rule IPv4"
block out log inet all ridentifier 1000000104 label "Default deny rule IPv4"
block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6"
block out log inet6 all ridentifier 1000000106 label "Default deny rule IPv6"
# We use the mighty pf, we cannot be fooled.
block log quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000107 label "Block traffic from port 0"
block log quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000108 label "Block traffic to port 0"

# Snort package
block log quick from <snort2c> to any ridentifier 1000000109 label "Block snort2c hosts"
block log quick from any to <snort2c> ridentifier 1000000110 label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshguard> to (self) port 22 ridentifier 1000000301 label "sshguard"

# webConfigurator lockout
block in log quick proto tcp from <sshguard> to (self) port 443 ridentifier 1000000351 label "GUI Lockout"
block in log quick from <virusprot> to any ridentifier 1000000400 label "virusprot overload table"
antispoof log for $LAN ridentifier 1000001470
# allow access to DHCP server on LAN
pass in  quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier 1000001491 label "allow access to DHCP server"
pass in  quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 ridentifier 1000001492 label "allow access to DHCP server"
pass out  quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 ridentifier 1000001493 label "allow access to DHCP server"
# allow access to DHCPv6 server on LAN
pass  quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 ridentifier 1000001501 label "allow access to DHCPv6 server"
pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 ridentifier 1000001502 label "allow access to DHCPv6 server"
pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 ridentifier 1000001503 label "allow access to DHCPv6 server"
pass  quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 ridentifier 1000001504 label "allow access to DHCPv6 server"
# block bogon networks (IPv4)
# https://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
block in log quick on $WAN2 from <bogons> to any ridentifier 11001 label "block bogon IPv4 networks from WAN2"
antispoof log for $WAN2 ridentifier 1000002520
# block anything from private networks on interfaces with the option set
block in log quick on $WAN2 from 10.0.0.0/8 to any ridentifier 12001 label "Block private networks from WAN2 block 10/8"
block in log quick on $WAN2 from 127.0.0.0/8 to any ridentifier 12002 label "Block private networks from WAN2 block 127/8"
block in log quick on $WAN2 from 172.16.0.0/12 to any ridentifier 12003 label "Block private networks from WAN2 block 172.16/12"
block in log quick on $WAN2 from 192.168.0.0/16 to any ridentifier 12004 label "Block private networks from WAN2 block 192.168/16"
block in log quick on $WAN2 from fc00::/7 to any ridentifier 12005 label "Block ULA networks from WAN2 block fc00::/7"

# loopback
pass in  on $loopback inet all ridentifier 1000002561 label "pass IPv4 loopback"
pass out  on $loopback inet all ridentifier 1000002562 label "pass IPv4 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out  inet all keep state allow-opts ridentifier 1000002563 label "let out anything IPv4 from firewall host itself"

pass out  route-to ( pppoe1 175.###.#.### ) from 175.###.#.## to !175.###.#.##/32 ridentifier 1000002661 keep state allow-opts label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in  quick on em2 proto tcp from any to (em2) port { 443 80 22 } ridentifier 10001 keep state label "anti-lockout rule"

# User-defined rules follow

anchor "userrules/*"
# array key "wan" does not exist for "NAT caddy-tmnet" in array: {LAN WAN2 } label "USER_RULE: NAT caddy-tmnet"
# array key "wan" does not exist for "NAT caddy-tmnet" in array: {LAN WAN2 } label "USER_RULE: NAT caddy-tmnet"
# array key "wan" does not exist for "NAT p2p-shark" in array: {LAN WAN2 } label "USER_RULE: NAT p2p-shark"
# array key "wan" does not exist for "NAT p2p-qbit" in array: {LAN WAN2 } label "USER_RULE: NAT p2p-qbit"
# array key "wan" does not exist for "NAT p2p-deluge" in array: {LAN WAN2 } label "USER_RULE: NAT p2p-deluge"
pass  in  quick  on $LAN  $GWWAN_PPPOE inet from $maxis__only to any ridentifier 1713412204 keep state label "USER_RULE" label "id:1713412204" label "gw:WAN_PPPOE"
block  in  quick  on $LAN inet from $maxis__only to any ridentifier 1713412230 label "USER_RULE" label "id:1713412230"
block  in  quick  on $LAN inet from $maxis__only to any ridentifier 1713413345 label "USER_RULE" label "id:1713413345"
block  in  quick  on $LAN inet from $maxis__only to any ridentifier 1713413351 label "USER_RULE" label "id:1713413351"
block  in  quick  on $LAN inet from $maxis__only to any ridentifier 1713413361 label "USER_RULE" label "id:1713413361"
pass  in  quick  on $LAN  $GWT1M2 inet from $LAN__NETWORK to any ridentifier 0100000101 keep state label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" label "gw:T1M2"
pass  in  quick  on $LAN  $GWM1T2 inet from $LAN__NETWORK to any ridentifier 1713412279 keep state label "USER_RULE: Default allow LAN to any rule" label "id:1713412279" label "gw:M1T2"
pass  in  quick  on $WAN2 reply-to ( pppoe1 175.###.#.### ) inet proto tcp  from any to 192.168.1.48 port 80 ridentifier 1713411551 flags S/SA keep state label "USER_RULE: NAT caddy-tmnet" label "id:1713411551"
pass  in  quick  on $WAN2 reply-to ( pppoe1 175.###.#.### ) inet proto tcp  from any to 192.168.1.48 port 443 ridentifier 1713411563 flags S/SA keep state label "USER_RULE: NAT caddy-tmnet" label "id:1713411563"
pass  in  quick  on $WAN2 reply-to ( pppoe1 175.###.#.### ) inet proto { tcp udp }  from any to 192.168.1.107 port 6885 ridentifier 1713411657 keep state label "USER_RULE: NAT p2p-shark" label "id:1713411657"
pass  in  quick  on $WAN2 reply-to ( pppoe1 175.###.#.### ) inet proto { tcp udp }  from any to 192.168.1.51 port 6886 ridentifier 1713411700 keep state label "USER_RULE: NAT p2p-qbit" label "id:1713411700"
pass  in  quick  on $WAN2 reply-to ( pppoe1 175.###.#.### ) inet proto { tcp udp }  from any to 192.168.1.57 port 6888 ridentifier 1713411769 keep state label "USER_RULE: NAT p2p-deluge" label "id:1713411769"

# VPN Rules

anchor "tftp-proxy/*"

    and here here it is again after disconnecting WAN1

    set hostid 0x07eb9aa0
set limit table-entries 400000
set optimization normal
set limit states 6514000
set limit src-nodes 6514000

#System aliases
  
loopback = "{ lo0 }"
WAN = "{ pppoe0 }"
table <WAN__NETWORK> persist { 121.###.###.##/32 }
WAN__NETWORK = "<WAN__NETWORK>"
LAN = "{ em2 }"
table <LAN__NETWORK> persist { 192.168.1.0/24 }
LAN__NETWORK = "<LAN__NETWORK>"
WAN2 = "{ pppoe1 }"
table <OPT1__NETWORK> persist { 175.###.#.##/32 }
OPT1__NETWORK = "<OPT1__NETWORK>"

#SSH Lockout Table
table <sshguard> persist
#Snort tables
table <snort2c>
table <virusprot>
table <bogons> persist file "/etc/bogons"

# User Aliases 
table <maxis__only> {   192.168.1.49  192.168.1.52  192.168.1.107 } 
maxis__only = "<maxis__only>"
table <tmnet__only> {   192.168.1.48  192.168.1.53 } 
tmnet__only = "<tmnet__only>"
 
# Gateways
GWWAN_PPPOE = " route-to ( pppoe0 121.###.###.# ) "
GWWAN2_PPPOE = " route-to ( pppoe1 175.###.#.### ) "
GWT1M2 = "  route-to { ( pppoe1 175.###.#.### )  }  "
GWM1T2 = "  route-to { ( pppoe0 121.###.###.# )  }  "

 
set loginterface em2

set skip on pfsync0
set keepcounters

scrub from any to <vpn_networks>   fragment no reassemble
scrub from <vpn_networks> to any   fragment no reassemble
scrub on $WAN inet all    fragment reassemble
scrub on $WAN inet6 all    fragment reassemble
scrub on $LAN inet all    fragment reassemble
scrub on $LAN inet6 all    fragment reassemble
scrub on $WAN2 inet all    fragment reassemble
scrub on $WAN2 inet6 all    fragment reassemble


no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"


# Outbound NAT rules (automatic)

# Subnets to NAT 
tonatsubnets	= "{ 127.0.0.0/8 ::1/128 192.168.1.0/24 }"
nat on $WAN inet from $tonatsubnets to any port 500 -> 121.###.###.##/32  static-port
nat on $WAN inet6 from $tonatsubnets to any port 500 -> (pppoe0)  static-port
nat on $WAN inet from $tonatsubnets to any -> 121.###.###.##/32 port 1024:65535 
nat on $WAN inet6 from $tonatsubnets to any -> (pppoe0) port 1024:65535 
nat on $WAN2 inet from $tonatsubnets to any port 500 -> 175.###.#.##/32  static-port
nat on $WAN2 inet6 from $tonatsubnets to any port 500 -> (pppoe1)  static-port
nat on $WAN2 inet from $tonatsubnets to any -> 175.###.#.##/32 port 1024:65535 
nat on $WAN2 inet6 from $tonatsubnets to any -> (pppoe1) port 1024:65535 
# TFTP proxy
rdr-anchor "tftp-proxy/*"
# NAT Inbound Redirects
rdr on pppoe1 inet proto tcp from any to 175.###.#.## port 80 -> 192.168.1.48
rdr on pppoe1 inet proto tcp from any to 175.###.#.## port 443 -> 192.168.1.48
rdr on pppoe0 inet proto tcp from any to 121.###.###.## port 80 -> 192.168.1.49
rdr on pppoe0 inet proto tcp from any to 121.###.###.## port 443 -> 192.168.1.49
rdr on pppoe1 inet proto { tcp udp } from any to 175.###.#.## port 6885 -> 192.168.1.107
rdr on pppoe0 inet proto { tcp udp } from any to 121.###.###.## port 6885 -> 192.168.1.107
rdr on pppoe1 inet proto { tcp udp } from any to 175.###.#.## port 6886 -> 192.168.1.51
rdr on pppoe0 inet proto { tcp udp } from any to 121.###.###.## port 6886 -> 192.168.1.51
rdr on pppoe1 inet proto { tcp udp } from any to 175.###.#.## port 6888 -> 192.168.1.57
rdr on pppoe0 inet proto { tcp udp } from any to 121.###.###.## port 6888 -> 192.168.1.57

anchor "openvpn/*"
anchor "ipsec/*"
# Allow IPv6 on loopback
pass in  quick on $loopback inet6 all ridentifier 1000000001 label "pass IPv6 loopback"
pass out  quick on $loopback inet6 all ridentifier 1000000002 label "pass IPv6 loopback"
# Block all IPv6
block in log quick inet6 all ridentifier 1000000003 label "Block all IPv6"
block out log quick inet6 all ridentifier 1000000004 label "Block all IPv6"
# block IPv4 link-local. Per RFC 3927, link local "MUST NOT" be forwarded by a routing device,
# and clients "MUST NOT" send such packets to a router. FreeBSD won't route 169.254./16, but
# route-to can override that, causing problems such as in redmine #2073
block in log quick from 169.254.0.0/16 to any ridentifier 1000000101 label "Block IPv4 link-local"
block in log quick from any to 169.254.0.0/16 ridentifier 1000000102 label "Block IPv4 link-local"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all ridentifier 1000000103 label "Default deny rule IPv4"
block out log inet all ridentifier 1000000104 label "Default deny rule IPv4"
block in log inet6 all ridentifier 1000000105 label "Default deny rule IPv6"
block out log inet6 all ridentifier 1000000106 label "Default deny rule IPv6"
# We use the mighty pf, we cannot be fooled.
block log quick inet proto { tcp, udp } from any port = 0 to any ridentifier 1000000107 label "Block traffic from port 0"
block log quick inet proto { tcp, udp } from any to any port = 0 ridentifier 1000000108 label "Block traffic to port 0"

# Snort package
block log quick from <snort2c> to any ridentifier 1000000109 label "Block snort2c hosts"
block log quick from any to <snort2c> ridentifier 1000000110 label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshguard> to (self) port 22 ridentifier 1000000301 label "sshguard"

# webConfigurator lockout
block in log quick proto tcp from <sshguard> to (self) port 443 ridentifier 1000000351 label "GUI Lockout"
block in log quick from <virusprot> to any ridentifier 1000000400 label "virusprot overload table"
# block bogon networks (IPv4)
# https://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
block in log quick on $WAN from <bogons> to any ridentifier 11001 label "block bogon IPv4 networks from WAN"
antispoof log for $WAN ridentifier 1000001470
# block anything from private networks on interfaces with the option set
block in log quick on $WAN from 10.0.0.0/8 to any ridentifier 12001 label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any ridentifier 12002 label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 172.16.0.0/12 to any ridentifier 12003 label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any ridentifier 12004 label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any ridentifier 12005 label "Block ULA networks from WAN block fc00::/7"
antispoof log for $LAN ridentifier 1000002520
# allow access to DHCP server on LAN
pass in  quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 ridentifier 1000002541 label "allow access to DHCP server"
pass in  quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 ridentifier 1000002542 label "allow access to DHCP server"
pass out  quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 ridentifier 1000002543 label "allow access to DHCP server"
# allow access to DHCPv6 server on LAN
pass  quick on $LAN inet6 proto udp from fe80::/10 to fe80::/10 port = 546 ridentifier 1000002551 label "allow access to DHCPv6 server"
pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 ridentifier 1000002552 label "allow access to DHCPv6 server"
pass  quick on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 ridentifier 1000002553 label "allow access to DHCPv6 server"
pass  quick on $LAN inet6 proto udp from ff02::/16 to fe80::/10 port = 547 ridentifier 1000002554 label "allow access to DHCPv6 server"
# block bogon networks (IPv4)
# https://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt
block in log quick on $WAN2 from <bogons> to any ridentifier 11002 label "block bogon IPv4 networks from WAN2"
antispoof log for $WAN2 ridentifier 1000003570
# block anything from private networks on interfaces with the option set
block in log quick on $WAN2 from 10.0.0.0/8 to any ridentifier 12006 label "Block private networks from WAN2 block 10/8"
block in log quick on $WAN2 from 127.0.0.0/8 to any ridentifier 12007 label "Block private networks from WAN2 block 127/8"
block in log quick on $WAN2 from 172.16.0.0/12 to any ridentifier 12008 label "Block private networks from WAN2 block 172.16/12"
block in log quick on $WAN2 from 192.168.0.0/16 to any ridentifier 12009 label "Block private networks from WAN2 block 192.168/16"
block in log quick on $WAN2 from fc00::/7 to any ridentifier 12010 label "Block ULA networks from WAN2 block fc00::/7"

# loopback
pass in  on $loopback inet all ridentifier 1000003611 label "pass IPv4 loopback"
pass out  on $loopback inet all ridentifier 1000003612 label "pass IPv4 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out  inet all keep state allow-opts ridentifier 1000003613 label "let out anything IPv4 from firewall host itself"

pass out  route-to ( pppoe0 121.###.###.# ) from 121.###.###.## to !121.###.###.##/32 ridentifier 1000003711 keep state allow-opts label "let out anything from firewall host itself"
pass out  route-to ( pppoe1 175.###.#.### ) from 175.###.#.## to !175.###.#.##/32 ridentifier 1000003712 keep state allow-opts label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in  quick on em2 proto tcp from any to (em2) port { 443 80 22 } ridentifier 10001 keep state label "anti-lockout rule"

# User-defined rules follow

anchor "userrules/*"
pass  in  quick  on $WAN reply-to ( pppoe0 121.###.###.# ) inet proto tcp  from any to 192.168.1.49 port 80 ridentifier 1713411580 flags S/SA keep state label "USER_RULE: NAT caddy-tmnet" label "id:1713411580"
pass  in  quick  on $WAN reply-to ( pppoe0 121.###.###.# ) inet proto tcp  from any to 192.168.1.49 port 443 ridentifier 1713411594 flags S/SA keep state label "USER_RULE: NAT caddy-tmnet" label "id:1713411594"
pass  in  quick  on $WAN reply-to ( pppoe0 121.###.###.# ) inet proto { tcp udp }  from any to 192.168.1.107 port 6885 ridentifier 1713411667 keep state label "USER_RULE: NAT p2p-shark" label "id:1713411667"
pass  in  quick  on $WAN reply-to ( pppoe0 121.###.###.# ) inet proto { tcp udp }  from any to 192.168.1.51 port 6886 ridentifier 1713411727 keep state label "USER_RULE: NAT p2p-qbit" label "id:1713411727"
pass  in  quick  on $WAN reply-to ( pppoe0 121.###.###.# ) inet proto { tcp udp }  from any to 192.168.1.57 port 6888 ridentifier 1713411753 keep state label "USER_RULE: NAT p2p-deluge" label "id:1713411753"
pass  in  quick  on $LAN  $GWWAN_PPPOE inet from $maxis__only to any ridentifier 1713412204 keep state label "USER_RULE" label "id:1713412204" label "gw:WAN_PPPOE"
block  in  quick  on $LAN inet from $maxis__only to any ridentifier 1713412230 label "USER_RULE" label "id:1713412230"
block  in  quick  on $LAN inet from $maxis__only to any ridentifier 1713413345 label "USER_RULE" label "id:1713413345"
block  in  quick  on $LAN inet from $maxis__only to any ridentifier 1713413351 label "USER_RULE" label "id:1713413351"
block  in  quick  on $LAN inet from $maxis__only to any ridentifier 1713413361 label "USER_RULE" label "id:1713413361"
pass  in  quick  on $LAN  $GWT1M2 inet from $LAN__NETWORK to any ridentifier 0100000101 keep state label "USER_RULE: Default allow LAN to any rule" label "id:0100000101" label "gw:T1M2"
pass  in  quick  on $LAN  $GWM1T2 inet from $LAN__NETWORK to any ridentifier 1713412279 keep state label "USER_RULE: Default allow LAN to any rule" label "id:1713412279" label "gw:M1T2"
pass  in  quick  on $WAN2 reply-to ( pppoe1 175.###.#.### ) inet proto tcp  from any to 192.168.1.48 port 80 ridentifier 1713411551 flags S/SA keep state label "USER_RULE: NAT caddy-tmnet" label "id:1713411551"
pass  in  quick  on $WAN2 reply-to ( pppoe1 175.###.#.### ) inet proto tcp  from any to 192.168.1.48 port 443 ridentifier 1713411563 flags S/SA keep state label "USER_RULE: NAT caddy-tmnet" label "id:1713411563"
pass  in  quick  on $WAN2 reply-to ( pppoe1 175.###.#.### ) inet proto { tcp udp }  from any to 192.168.1.107 port 6885 ridentifier 1713411657 keep state label "USER_RULE: NAT p2p-shark" label "id:1713411657"
pass  in  quick  on $WAN2 reply-to ( pppoe1 175.###.#.### ) inet proto { tcp udp }  from any to 192.168.1.51 port 6886 ridentifier 1713411700 keep state label "USER_RULE: NAT p2p-qbit" label "id:1713411700"
pass  in  quick  on $WAN2 reply-to ( pppoe1 175.###.#.### ) inet proto { tcp udp }  from any to 192.168.1.57 port 6888 ridentifier 1713411769 keep state label "USER_RULE: NAT p2p-deluge" label "id:1713411769"

# VPN Rules

anchor "tftp-proxy/*"
    M 1 Reply Last reply Apr 19, 2024, 5:49 AM Reply Quote 0
    • M
      m0j0 @m0j0
      last edited by Apr 19, 2024, 5:49 AM

      @m0j0 I made an error in my post, the first rules.debug shown is infact AFTER wan1 had been disconnected and the rules.debug below it belongs to BEFORE wan1 had been disconnected. I tried to edit my post but I keep getting an error regarding spam.

      S 1 Reply Last reply Apr 19, 2024, 7:04 AM Reply Quote 0
      • S
        SteveITS Galactic Empire @m0j0
        last edited by Apr 19, 2024, 7:04 AM

        @m0j0 https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html#enforcing-gateway-use

        Is “Do not create rules when gateway is down” checked?

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        M 1 Reply Last reply Apr 19, 2024, 7:47 AM Reply Quote 1
        • M
          m0j0 @SteveITS
          last edited by Apr 19, 2024, 7:47 AM

          @SteveITS Indeed that was the issue! You're a legend mate, I've been struggling with this for almost a week now, whats even worse is that I scoured the docs and still somehow managed to miss the bit you highlighted for me 🤦‍♂️

          1 Reply Last reply Reply Quote 1
          1 out of 4
          • First post
            1/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received