Using pfSense to Route and Force Traffic out on a specific Interface/IP (WAN)



  • Hello everyone!

    I have been experimenting with pfSense for a little bit here and I also have bought the book and been reading up on it.  During my experimentation/reading process I have become quite confused as to how I am going to implement what I am trying to accomplish.

    Here is the scenario: (Network diagram below)

    Comcast cable modem/router with 5 public IP's: 98.x.x.1 to 98.x.x.5, with gateway of 98.x.x.6

    pfSense with 4 interfaces, namely: LAN, WAN, WAN2 and DMZ configured as such:

    LAN: 192.168.1.1
    WAN: 98.x.x.1
    WAN2: 98.x.x.5
    DMZ: 192.168.2.1

    Now, here is what I need it to do and am not quite sure how to implement.  I need to force the Internet incoming/outgoing traffic on the LAN to go out on WAN2.

    I only want to use WAN for incoming connections to the anti-spam/mail server and nothing else.

    Here is a network diagram depicting what I want to do:

    Anything you can do to help would be greatly appreciated.

    Thanks,

    Luis



  • Make the default route the one for WAN2.  That will take care of outbound traffic initiated from the LAN.



  • Thanks danswartz,

    Will this also force DMZ traffic out of WAN instead of WAN2?



  • No, you didn't say you wanted to do that.  If you do, add a rule under Firewall => Rules => LAN that has the DMZ host as the source IP, but everything else defaults.  Then, set the gateway to the WAN IP address (otherwise it would go to the WAN2 IP address).  Then (very important) move that rule so it is before the default LAN => any rule.



  • Hi dan,

    Thanks for your reply.  So, does this mean that all traffic from DMZ will go out on WAN, and all traffic from LAN will go out on WAN2?

    I just want to make sure that this is what will happen.

    Thanks again!

    Luis



  • Assuming I am understanding you correctly, it should.  Only way to find out is to try it though.



  • Ok, I will give it a shot and report back.



  • I could be wrong, but I think you're going to have a problem here because WAN and WAN2 are both using IPs in the same subnet. This would be okay if you could separate them into their own smaller subnets but you would need a separate gateway IP for each subnet that lies within the subnet.

    I don't think that you need two WAN interfaces to do what you're trying to do. Use a single WAN, add the second IP you want to use as a Virtual IP (proxy ARP). Use Advanced Outbound NAT to control which public IP traffic from your LAN/OPT interfaces goes out on.

    The info danswartz gave should still work in this case because the VIP should show up as a "gateway" in the rules.

    If I'm understanding what you want correctly, you shouldn't have any issue this way.



  • good point.  looking at that again, i see no point in having more than one nic if they are IPs in the same subnet from the same provider.  just make one the WAN IP and the second a virtual IP, no?



  • @danswartz:

    good point.  looking at that again, i see no point in having more than one nic if they are IPs in the same subnet from the same provider.  just make one the WAN IP and the second a virtual IP, no?

    Correct. Do post your final result for everyone to see, in case it helps someone else.



  • Well,

    Turns out that what I wanted to do according to the network diagram posted above, did not quite work the way I expected.  Technically this is a Multi-WAN setup but with 1 cable modem/router, since I am using 2 public IP's, both in the same network/broadcast domain and thusly both sharing the same gateway.

    I was lucky enough to find out that the way my Comcast cable modem/router is configured allows me to use private or public addresses without having to change anything major.

    So, first I connected both the WAN and WAN2 ports directly to my cable modem/router's built in switch.  Then I setup pfSense with the WAN port having a public IP statically set on the interface, e.g. 98.x.x.1, and then I set up WAN2 with a DHCP address, which in turn gave the interface a 10.x.x.1 address off the modem/router's DHCP server.

    After that, I made sure to set up the correct DNS servers for both WAN and WAN2.  Then I configured LAN with 192.168.1.1/24 and DMZ with 192.168.2.1 and I made sure to add rules on the firewall to allow the correct traffic protocols between LAN and DMZ.

    Now, since I wanted to have LAN go out on WAN2, I set up the default gateway for outgoing connections for LAN to be 10.x.x.1, which is WAN2's address.
    Also, I wanted traffic from DMZ to go out on WAN, so I set up the default gateway for outgoing connections for DMZ to be 98.x.x.1, which is WAN's address.

    To reiterate, the setup is:

    WAN IP: 98.x.x.1
    WAN2 IP: 10.x.x.1
    LAN IP: 192.168.1.1
    DMZ IP: 192.168.2.1

    Default gateway for LAN is 10.x.x.1
    Default gateway for DMZ is 98.x.x.1

    Hope this makes sense and thanks everyone for your help!

    Luis


Log in to reply