Policy based routing on VIP
-
Dear forum users,
We've used policy based routing on PFSense very successfully in the past!
Now, I have a question about it.Is it possible to somehow subject traffic on a VIP to PBR?
I.e.
Interface em0 has IP 10.0.0.1
It also has a VIP 10.0.0.2Now I wish to configure traffic coming in on em0 to IP 10.0.0.2 should be routed differently than traffic coming in on em0 at ip 10.0.0.1.
Afaik this isn't possible since I'd need two interfaces in the same LAN on different physical interfaces (i.e. move 10.0.0.2 to em1).Am I mistaken or can PBR somehow be accomplished with a VIP?
-
It might be possible with a different subnet .. but that is a whole other set of problems.
-
You mean balance by source address?
I was thinking about that, but then I'd have to put all clients into a special DHCP pool. That might actually be possible, now that I come to think of it. Because right now the "special" clients have static DHCP leases that have a default gateway override in MS DHCP.
I guess by moving them to another pool, or into a special reserve pool I could make this setup a whole lot less complicated, couldn't I?There's one more thing though. The new machine will have to LAN segments. Trusted and untrusted. The trusted site will continue using the MS DHCP server, so no problem there.
But how about the untrusted segment that will use PFSense's DHCP? Can I set up reservations there with gateway overrides? -
But how about the untrusted segment that will use PFSense's DHCP? Can I set up reservations there with gateway overrides?
Not in the webinterface, but in the dhcpd.conf you can add a line "option routers" in your reservation as so:
host s_lan_3 { hardware ethernet 00:26:18:xx:xx:xx; fixed-address 192.168.1.7; option host-name "Core-i7"; option routers 192.168.1.1; }problem that file gets overwritten automatically when the xml configuration is parsed.
-
Thanks SeventhSon!
If I implement this, I'll change the WebGUI and submit the changes!
-
If you're doing this, you might want to have a look at the groups options too in dhcp.conf. If you add multiple MAC addresses to a group like so:
group { option routers 192.168.1.1; filename "cisco-image.bin"; host Cisco-Phone1 { hardware ethernet 00:0E:08:xx:xx:x1; } host Cisco-Phone2 { hardware ethernet 00:0E:08:xx:xx:x2; } }you can add multiple hosts to a group with multiple settings. In this example, changing gateway and tftp image for some (imaginary) phones.
I would love this feature in the webGUI, but I'm not too good at PHP…
-
I'll have a look this weekend how severe such a change would be and if with my PHP skills I consider it practial, I'll do it.