Directing certain traffic over a certain WAN
I have a dual Data/VoIP setup running through pfSense and need to do one minor tweak to alleviate a minor problem. Unfortunately, this requires a little explanation.
There is a single DSL circuit provisioned with two PVC’s, each providing a /29 block. The VoIP PVC is provisioned as real time and will carve needed bandwidth out of the Data PVC as needed.
The two WANs formed by the two PVC’s are defined in pfSense as /29 blocks and the remaining IP are set up as Virtual IP’s using Proxy ARP. On the LAN side there are actually 4 LAN subnets defined. Two of them use the Data WAN as the default gateway and the other two are using the Voice WAN as the default gateway.
My problem arises because in addition to the regular VoIP traffic the SIP servers need to initiate non VoIP traffic out to the internet in order to download updates and such. If these servers are allowed to initiate this traffic over the Voice WAN, Data WAN traffic is entirely blocked because of priority to the traffic on the Voice WAN. Therefore, it is desirable to provision the Voice subnets to send VoIP traffic over the Voice WAN and all other traffic over the Data WAN.
In the past I have used an Outbound NAT rule on the WAN interface to send the traffic out one of the aliases rather than the default, however, in this case when I try to use an Outbound rule on the Voice WAN to send traffic out a virtual IP on the Data WAN it does not work… and I’m not exactly surprised either.
Given this, what would be the correct way to provision this?… And does the Virtual IP type make any difference?
All right, I got it.
Its a two part process. First, on the subnet where you want to send traffic to an alternate default gateway, create a firewall rule on the subnet that matches the traffic you want to divert, then in the advanced features section select the alternate gateway.
Second, on the alternate WAN, define an outbound NAT rule that matches the source traffic and assigns it to the desired virtual IP.
I had a similar scenario except with outbound SMTP instead of VoIP. I was missing part 1 of 2. I would configure the OB NAT, but the connection wasn't going through at all. After adding the OB Firewall Rule, everything started working properly. I also noticed that when making changes to the NAT rules (and possibly others), it takes a couple seconds before they actually get put into effect.