How to force certain external IPs to go through certain gateways



  • I have a pfSense installed yesterday from the downloaded VMWare image.
    I have 3 WAN interfaces, on different /24 subnets, all connected to NAT routers of one kind or another.
    All the routers have a DMZ set up to point to the pfSense IP address on their own subnet.
    The pfSense has its own NAT set up.
    The LAN interface is connected to an internal router on 192.168.100.1, which routes to 2 other subnets.
    I have static routes for the other subnets with gateway 192.168.100.1.

    I want all traffic from everywhere on the LAN to a particular IP address to go via one particular WAN interface.
    I also want all traffic from everywhere on the LAN to port 25 to go via one particular WAN interface.

    I have set up two firewall rules on the LAN.

        • fixed * (WAN interface)
        • SMTP * (WAN interface)

    fixed is a host alias with the ip address I want
    SMTP is a port alias for port 25

    However, if I do a traceroute from inside the LAN to the ip address specified in the alias, it sometimes goes via one of the other WAN interfaces.

    Am I doing this wrong?
    Is the NAT confusing things?
    Should I be setting up a static route for the fixed IP address instead?
    If the fixed IP address rule doesn't work, why should the SMTP rule (which can't be done with a static route) work?



  • A traceroute uses ICMP.
    Your rule is for port 25. (probably TCP or UDP)
    So this is testing oranges for apples.

    Try telnet on port 25 and you should see that you go to the correct gateway.



  • @GruensFroeschli:

    A traceroute uses ICMP.
    Your rule is for port 25. (probably TCP or UDP)
    So this is testing oranges for apples.

    Try telnet on port 25 and you should see that you go to the correct gateway.

    I probably didn't explain very well. I am not expecting the traceroute to be intercepted by the SMTP rule, but by the fixed IP rule.

    The rule has:
    Interface:LAN
    Protocol: any
    Source: any
    Destination: Single host or alias : fixedip
    Gateway: My WAN ADSL router's address

    The fixedip alias has:
    Name: fixedip
    Type: Host(s)
    IP: (the IP address)



  • You use the alias in the field "destination".
    You have to use it in the field "source" :)



  • That makes no sense to me at all.
    fixedip is an address out there on the Internet.
    I want all packets FROM my LAN TO fixedip to go via my 1st WAN port
    Why should I put fixedip in as the SOURCE of the packets???

    Just to clarify, the reason for this is that fixedip has its own firewall, which will only accept connections from 1 IP address, the external address of my 1st WAN router.



  • Ah.
    In the previous description it sounded like you're trying to force one of your internal clients to a specific WAN.

    Can you show a screenshot of your rules?



  • A screenshot of my rules will tell you no more than the typed in "screenshot" I included in the first message (other than revealing the actual internal IP address of the external ADSL router in question).



  • You typed what you think you have.
    A screenshot shows what you actually have.
    You wouldn't believe what kind of descriptions we've got here and the screenshot showed that the rules weren't anything like described ;)



  • I promise it's right. I've checked it more than twice.



  • Well, the columns don't match up with what my web interface looks like, and you can't have any in the protocol field with a port specified, so there's a disconnect somewhere…

    Please just take a screenshot, it makes things much more clear.



  • Perhaps you are running a different version of pfSense to me - if you check the attached against my original post, you will see the original post was correct (aside from my changing the names).

    I have censored the output - I am not happy about revealing more of my firewall setup than absolutely necessary on the public Internet. The IP address shown is the internal IP address of my first ADSL router.




  • So if i read this right:
    you have an alias SMTP which contains the port 25.
    And you use this alias in the destination fiel which expects an IP.
    Try to set this alias in the field destination-port instead of destination.
    For this you have to set the protocol to Tcp/udp. Otherwise the destination port field is hidden.



  • Thanks for pointing out the problem with the SMTP rule. It shows the danger of using aliases. I would have expected the UI to tell me if I used a port alias in an IP address field. Are rules not validated at all?

    However, that's not the rule I am trying to debug.

    Please concentrate on the rule I am trying to debug, which is the one which should send all data destined for the IP address in the alias "fixedip" out via WAN1.



  • Can you show us a screenshot of what you get when you mouseover the "fixedip" alias?  Then, if possible, show us a traceroute giving you the unexpected behavior?  (On windows, I'd suggest "tracert -d whatever.you.are.going.to)

    (Please confirm the pfSense box's IP as well as the IP of the machine you're testing from, for completeness.)



  • I withdraw the complaint in shame and bewilderment - I can no longer reproduce the problem!

    I have just done 6 tracerts to the fixedip address, and they all went through the correct gateway.

    Thanks very much for helping though (and at least my SMTP rule works properly, now you've kindly debugged it for me)  :D


Locked