How to force certain external IPs to go through certain gateways

Reply to How to force certain external IPs to go through certain gateways on Fri, 14 May 2010 15:27:30 GMT

nikkilocke — Fri, 14 May 2010 15:27:30 GMT

I withdraw the complaint in shame and bewilderment - I can no longer reproduce the problem!

I have just done 6 tracerts to the fixedip address, and they all went through the correct gateway.

Thanks very much for helping though (and at least my SMTP rule works properly, now you've kindly debugged it for me) :D

Reply to How to force certain external IPs to go through certain gateways on Fri, 14 May 2010 14:56:56 GMT

overand — Fri, 14 May 2010 14:56:56 GMT

Can you show us a screenshot of what you get when you mouseover the "fixedip" alias? Then, if possible, show us a traceroute giving you the unexpected behavior? (On windows, I'd suggest "tracert -d whatever.you.are.going.to)

(Please confirm the pfSense box's IP as well as the IP of the machine you're testing from, for completeness.)

Reply to How to force certain external IPs to go through certain gateways on Thu, 13 May 2010 13:29:46 GMT

nikkilocke — Thu, 13 May 2010 13:29:46 GMT

Thanks for pointing out the problem with the SMTP rule. It shows the danger of using aliases. I would have expected the UI to tell me if I used a port alias in an IP address field. Are rules not validated at all?

However, that's not the rule I am trying to debug.

Please concentrate on the rule I am trying to debug, which is the one which should send all data destined for the IP address in the alias "fixedip" out via WAN1.

Reply to How to force certain external IPs to go through certain gateways on Thu, 13 May 2010 09:33:03 GMT

GruensFroeschli — Thu, 13 May 2010 09:33:03 GMT

So if i read this right:
you have an alias SMTP which contains the port 25.
And you use this alias in the destination fiel which expects an IP.
Try to set this alias in the field destination-port instead of destination.
For this you have to set the protocol to Tcp/udp. Otherwise the destination port field is hidden.

Reply to How to force certain external IPs to go through certain gateways on Thu, 13 May 2010 09:00:23 GMT

nikkilocke — Thu, 13 May 2010 09:00:23 GMT

Perhaps you are running a different version of pfSense to me - if you check the attached against my original post, you will see the original post was correct (aside from my changing the names).

I have censored the output - I am not happy about revealing more of my firewall setup than absolutely necessary on the public Internet. The IP address shown is the internal IP address of my first ADSL router.

Reply to How to force certain external IPs to go through certain gateways on Wed, 12 May 2010 23:57:52 GMT

ktims — Wed, 12 May 2010 23:57:52 GMT

Well, the columns don't match up with what my web interface looks like, and you can't have any in the protocol field with a port specified, so there's a disconnect somewhere…

Please just take a screenshot, it makes things much more clear.

Reply to How to force certain external IPs to go through certain gateways on Wed, 12 May 2010 17:39:45 GMT

nikkilocke — Wed, 12 May 2010 17:39:45 GMT

I promise it's right. I've checked it more than twice.

Reply to How to force certain external IPs to go through certain gateways on Wed, 12 May 2010 08:55:43 GMT

GruensFroeschli — Wed, 12 May 2010 08:55:43 GMT

You typed what you think you have.
A screenshot shows what you actually have.
You wouldn't believe what kind of descriptions we've got here and the screenshot showed that the rules weren't anything like described ;)

Reply to How to force certain external IPs to go through certain gateways on Wed, 12 May 2010 08:11:32 GMT

nikkilocke — Wed, 12 May 2010 08:11:32 GMT

A screenshot of my rules will tell you no more than the typed in "screenshot" I included in the first message (other than revealing the actual internal IP address of the external ADSL router in question).

Reply to How to force certain external IPs to go through certain gateways on Tue, 11 May 2010 20:21:54 GMT

GruensFroeschli — Tue, 11 May 2010 20:21:54 GMT

Ah.
In the previous description it sounded like you're trying to force one of your internal clients to a specific WAN.

Can you show a screenshot of your rules?

Reply to How to force certain external IPs to go through certain gateways on Tue, 11 May 2010 18:07:18 GMT

nikkilocke — Tue, 11 May 2010 18:07:18 GMT

That makes no sense to me at all.
fixedip is an address out there on the Internet.
I want all packets FROM my LAN TO fixedip to go via my 1st WAN port
Why should I put fixedip in as the SOURCE of the packets???

Just to clarify, the reason for this is that fixedip has its own firewall, which will only accept connections from 1 IP address, the external address of my 1st WAN router.

Reply to How to force certain external IPs to go through certain gateways on Tue, 11 May 2010 15:24:23 GMT

GruensFroeschli — Tue, 11 May 2010 15:24:23 GMT

You use the alias in the field "destination".
You have to use it in the field "source" :)

Reply to How to force certain external IPs to go through certain gateways on Tue, 11 May 2010 13:49:59 GMT

nikkilocke — Tue, 11 May 2010 13:49:59 GMT

@GruensFroeschli:

A traceroute uses ICMP.
Your rule is for port 25. (probably TCP or UDP)
So this is testing oranges for apples.

Try telnet on port 25 and you should see that you go to the correct gateway.

I probably didn't explain very well. I am not expecting the traceroute to be intercepted by the SMTP rule, but by the fixed IP rule.

The rule has:
Interface:LAN
Protocol: any
Source: any
Destination: Single host or alias : fixedip
Gateway: My WAN ADSL router's address

The fixedip alias has:
Name: fixedip
Type: Host(s)
IP: (the IP address)

Reply to How to force certain external IPs to go through certain gateways on Tue, 11 May 2010 10:44:34 GMT

GruensFroeschli — Tue, 11 May 2010 10:44:34 GMT

A traceroute uses ICMP.
Your rule is for port 25. (probably TCP or UDP)
So this is testing oranges for apples.

Try telnet on port 25 and you should see that you go to the correct gateway.