Block LAN IP from Internet Access on Gateway Group
-
I have a gateway group setup with automatic failover to a limited data cellular provider, as I work from home and deal with a lot of internet outages. I'm trying to block some specific data hogs from this cell ISP, so my important items like security cameras and ability to do my job are usable.
I cannot for the life of me figure out how to accomplish this. I've tried setting the gateway under the advanced options in the rules, but that seems to make no difference. Yes the rules are at the top of the list as well, I know order of the rules is important. I've been able to successfully block a device on my LAN with a static IP by creating a basic "any" rule for the IP in my LAN rules. I know this is working correctly as it's blocking all WAN access to this host when it's enabled. I've also tried clearing the firewall states many times, to no avail.
I also do not have any rules beside the default allow all in my LAN rules. I also disabled the anti-lockout just to ensure that wasn't interfering. WAN rules just consist of some very basic TCP and UDP port forwards, and OpenVPN basic rules.
I've also tried create a pass and block rule for WAN and Cellular WAN gateways/interface, but same result. Either everything is blocked or it routes over both still.
I feel like this should be the simplest thing but I've been at this for a week and am getting no where.
Please don't repeat to just not assign a gateway to the device.. This is not the goal. The host still needs network access, but ONLY on my primary WAN.
-
I did try ChatGPT and it advised I try making a separate gateway group and define this in the firewall rule, and only give the group the primary WAN.
Did this, reset the firewall states, disabled my WAN interface and yet my host continues to failover to the cellular WAN.. It's like my firewall it's completely disregarding the gateway definition, or I'm missing something in the configuration.
-
@soulvoid86
Ensure that you have gateway monitoring enabled on both and stated a public monitoring IP.
Gateway monitoring is essential for a failover scenario.Check that both gateways are shown up as online in Status > Gateways.
Then yeah, a pass rule for upstream traffic with a gateway stated (policy routing) should direct the traffic to the desired gateway.
-
@viragomann I've been using the failover gateways for about 2 years. Monitoring has been setup and working for a long time.
Seems no matter what I do though, the rules do not care what gateway I define. It just uses the group regardless and fails over to the cellular ISP.
Not sure where to go from here.. I tried this on a completely fresh instance of pfsense in a test environment too and it does the same, so I'm sure it's me doing something wrong.
It should be as easy as make a pass rule on LAN with IP as the source, any as the destination, any protocol and set the gateway under advanced settings to either the WAN you want to use or the gateway group you want to use. Put it at the top of the list, save/apply and reset the firewall. Is this not correct?