Traffic of routed subnet have to go to 1 specific connection
-
Dear,
I have a pfsense box with two VDSL2 connections (both with a fixed IP):
OpenWeb/WeePee : 217.145.41.147
EDPnet : 85.234.198.205The first connection (openweb/weepee) is the default gateway and have to be used by everyone who uses the network here. The second connection (edpnet) will be used for some servers and that ISP provides me a routed subnet (85.234.197.0/26) as next-hop.
The problem is that, because openweb/weepee is the default gateway, all TCP/UDP requests comes in thru the edpnet connection (as it should be), but are send by the openweb/weepee connection. So i want to route the outgoing traffic from the servers thru the edpnet connection, not the default gateway… Also very strange thing : a traceroute to any of these ip's isn't possible, but there is a ICMP rule for them?
Here are some screenshots of the setup.
WEEPEE01 = openweb/weepee vdsl2 connection (217.145.41.147)
EDPNET01 = edpnet vdsl2 connection (85.234.198.205)
SERVERS01 = routed subnet (85.234.197.0/26)System gateways:
http://kris.derocker.name/pfsense/iprange/systemgateways.jpgFirewall Rules WeePee/Openweb:
http://kris.derocker.name/pfsense/iprange/firewallrulesweepee01.jpgFirewall Rules EDPnet:
http://kris.derocker.name/pfsense/iprange/firewallrulesedpnet01.jpgFirewall Rules Servers01
http://kris.derocker.name/pfsense/iprange/firewallrulesservers01.jpgInterface WeePee/Openweb:
http://kris.derocker.name/pfsense/iprange/interfacesweepee01.jpgInterface EDPnet:
http://kris.derocker.name/pfsense/iprange/interfacesedpnet01.jpgInterface servers01:
http://kris.derocker.name/pfsense/iprange/interfacesservers01.jpg -
You can run some packet captures on each interface to see what's happening to the traffic, if it's coming in/out servers01 and such.
Rules on the interface tabs are only processed as traffic enters an interface, and they are processed from the top down, the first match wins and processing stops.
So for example on your servers01 rules, the bottom two would never be hit.
Also, you do not need a gateway set on the servers01 subnet like that. The firewall will act as a gateway automatically, that setting is just for external gateways.
So if you remove the last two rules from the servers01 interface, and change that rule to use a gateway that goes out edpnet, then things should start working.
-
Dear Jimp,
I've done what you've noticed. Could you please take a look to these screenshots and check out if everything is correct?
http://kris.derocker.name/pfsense/iprange/systemgateways02.jpg
http://kris.derocker.name/pfsense/iprange/firewallrulesweepee02.jpg
http://kris.derocker.name/pfsense/iprange/firewallrulesedpnet02.jpg
http://kris.derocker.name/pfsense/iprange/firewallrulesservers02.jpg -
1. Your "WEEPEE01" and "EDPNET01" interfaces rules should not have a gateway set. Never set a gateway on WAN rules.
2. The rules on Servers01 should be using GW_OPT7 for the gateway - delete that "servers01gw" gateway - you do not need it, and it's only hurting things. -
I did it like you mentioned…and it works fine!
Just another question...I've installed a server on the 85.234.197.0/26 ip range (IP 85.234.197.3). I can ssh to the server from inside the LAN or WLAN, but i can't ssh to it from the internet. Do i have to set another rule to allow ssh/http/... traffic? Because eg ntpd works fine.
-
those interface rules are only for outbound connections, the incoming rules would be on the EDPNET01 interface, and would have to allow whatever you're trying.