Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How to force certain external IPs to go through certain gateways

    Scheduled Pinned Locked Moved Routing and Multi WAN
    15 Posts 4 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nikkilocke
      last edited by

      I have a pfSense installed yesterday from the downloaded VMWare image.
      I have 3 WAN interfaces, on different /24 subnets, all connected to NAT routers of one kind or another.
      All the routers have a DMZ set up to point to the pfSense IP address on their own subnet.
      The pfSense has its own NAT set up.
      The LAN interface is connected to an internal router on 192.168.100.1, which routes to 2 other subnets.
      I have static routes for the other subnets with gateway 192.168.100.1.

      I want all traffic from everywhere on the LAN to a particular IP address to go via one particular WAN interface.
      I also want all traffic from everywhere on the LAN to port 25 to go via one particular WAN interface.

      I have set up two firewall rules on the LAN.

          • fixed * (WAN interface)
          • SMTP * (WAN interface)

      fixed is a host alias with the ip address I want
      SMTP is a port alias for port 25

      However, if I do a traceroute from inside the LAN to the ip address specified in the alias, it sometimes goes via one of the other WAN interfaces.

      Am I doing this wrong?
      Is the NAT confusing things?
      Should I be setting up a static route for the fixed IP address instead?
      If the fixed IP address rule doesn't work, why should the SMTP rule (which can't be done with a static route) work?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        A traceroute uses ICMP.
        Your rule is for port 25. (probably TCP or UDP)
        So this is testing oranges for apples.

        Try telnet on port 25 and you should see that you go to the correct gateway.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • N
          nikkilocke
          last edited by

          @GruensFroeschli:

          A traceroute uses ICMP.
          Your rule is for port 25. (probably TCP or UDP)
          So this is testing oranges for apples.

          Try telnet on port 25 and you should see that you go to the correct gateway.

          I probably didn't explain very well. I am not expecting the traceroute to be intercepted by the SMTP rule, but by the fixed IP rule.

          The rule has:
          Interface:LAN
          Protocol: any
          Source: any
          Destination: Single host or alias : fixedip
          Gateway: My WAN ADSL router's address

          The fixedip alias has:
          Name: fixedip
          Type: Host(s)
          IP: (the IP address)

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            You use the alias in the field "destination".
            You have to use it in the field "source" :)

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • N
              nikkilocke
              last edited by

              That makes no sense to me at all.
              fixedip is an address out there on the Internet.
              I want all packets FROM my LAN TO fixedip to go via my 1st WAN port
              Why should I put fixedip in as the SOURCE of the packets???

              Just to clarify, the reason for this is that fixedip has its own firewall, which will only accept connections from 1 IP address, the external address of my 1st WAN router.

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                Ah.
                In the previous description it sounded like you're trying to force one of your internal clients to a specific WAN.

                Can you show a screenshot of your rules?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • N
                  nikkilocke
                  last edited by

                  A screenshot of my rules will tell you no more than the typed in "screenshot" I included in the first message (other than revealing the actual internal IP address of the external ADSL router in question).

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschliG
                    GruensFroeschli
                    last edited by

                    You typed what you think you have.
                    A screenshot shows what you actually have.
                    You wouldn't believe what kind of descriptions we've got here and the screenshot showed that the rules weren't anything like described ;)

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • N
                      nikkilocke
                      last edited by

                      I promise it's right. I've checked it more than twice.

                      1 Reply Last reply Reply Quote 0
                      • K
                        ktims
                        last edited by

                        Well, the columns don't match up with what my web interface looks like, and you can't have any in the protocol field with a port specified, so there's a disconnect somewhere…

                        Please just take a screenshot, it makes things much more clear.

                        1 Reply Last reply Reply Quote 0
                        • N
                          nikkilocke
                          last edited by

                          Perhaps you are running a different version of pfSense to me - if you check the attached against my original post, you will see the original post was correct (aside from my changing the names).

                          I have censored the output - I am not happy about revealing more of my firewall setup than absolutely necessary on the public Internet. The IP address shown is the internal IP address of my first ADSL router.

                          firewall.JPG
                          firewall.JPG_thumb

                          1 Reply Last reply Reply Quote 0
                          • GruensFroeschliG
                            GruensFroeschli
                            last edited by

                            So if i read this right:
                            you have an alias SMTP which contains the port 25.
                            And you use this alias in the destination fiel which expects an IP.
                            Try to set this alias in the field destination-port instead of destination.
                            For this you have to set the protocol to Tcp/udp. Otherwise the destination port field is hidden.

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • N
                              nikkilocke
                              last edited by

                              Thanks for pointing out the problem with the SMTP rule. It shows the danger of using aliases. I would have expected the UI to tell me if I used a port alias in an IP address field. Are rules not validated at all?

                              However, that's not the rule I am trying to debug.

                              Please concentrate on the rule I am trying to debug, which is the one which should send all data destined for the IP address in the alias "fixedip" out via WAN1.

                              1 Reply Last reply Reply Quote 0
                              • O
                                overand
                                last edited by

                                Can you show us a screenshot of what you get when you mouseover the "fixedip" alias?  Then, if possible, show us a traceroute giving you the unexpected behavior?  (On windows, I'd suggest "tracert -d whatever.you.are.going.to)

                                (Please confirm the pfSense box's IP as well as the IP of the machine you're testing from, for completeness.)

                                1 Reply Last reply Reply Quote 0
                                • N
                                  nikkilocke
                                  last edited by

                                  I withdraw the complaint in shame and bewilderment - I can no longer reproduce the problem!

                                  I have just done 6 tracerts to the fixedip address, and they all went through the correct gateway.

                                  Thanks very much for helping though (and at least my SMTP rule works properly, now you've kindly debugged it for me)  :D

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.