Internal IP to 2nd gateway



  • Hello,

    I'm fairly new to PfSense and this software is amazing, I only have a small issue that i cannot solve.
    I have Multi-Wan setup as a Failover, not as a Load Balancer.

    But now i have an internal IP adres that needs to go over the second gateway, how can i make an exception for that internal IP address.

    The current setup is:
    LAN (10.0.0.*) ===> Gateway Group [Failover] (WAN1 and WAN2)

    How i want it to be is:
    LAN (10.0.0.*) ===> Gateway Group [Failover] (WAN1 and WAN2)
    LAN (10.0.0.4) ===> Gateway (WAN2)

    hope you guys can help me.

    edit: added screenshot of Firewall rule on LAN interface



  • Rules are processed from top to down.
    If a rule catches, the rest below is not considered.

    Simply move your exception rule above your other general rule and it should work.



  • @GruensFroeschli:

    Rules are processed from top to down.
    If a rule catches, the rest below is not considered.

    Simply move your exception rule above your other general rule and it should work.

    Thank you!, i changed the order and i will check tomorrow if it's working ok.



  • Agreed that will work fine.



  • Sorry forgot to reply here, indeed changed the order and it seems to work perfectly!
    Thanks for the solution !



  • OK This work fine with outbound traffic….

    How about the inbound traffic... What should b the rule then?



  • What are you trying to archive? That doesnt make any sense?



  • What i want to acheve is to be able to select for each IP of my internal network specific WAN or Group of WANs (for loadbalancing or Failover)…here is example:

    192.168.3.10 <-> WAN1
    192.168.3.20 <-> WAN2

    192.168.3.30 -> LoadBalancing WANGWGRP
    192.168.3.30 <- WAN1



  • Right Watch this video…

    http://www.youtube.com/watch?v=Usi195rK35I

    Ignore the fact its related to Traffic shaping. The rules on the lan still apply. Just make sure you select gateway option and choose the gateway you want right at the bottom. Make sure they are in the correct order as well, or it wont work.... I hope this makes sense.



  • I hope this is what you are refering to?



  • Yea bang on.



  • With this configuration is working only for outbound traffic….

    But when i port forward let`s say RDP to 192.168.3.55 and try to reach it using the WAN2.... nothings happand...



  • Oh i think this may help you. You need to enable Loop back in your configuation. ?

    Go into Advanced

    Firewall / Nat

    (Untick the box)
    Disable NAT Reflection for port forwards

    Disables the automatic creation of additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks. Note: Reflection for port forward entries is skipped for ranges larger than 500 ports.



  • Unfortunately this change didn`t help in my case :(

    Let me show you in pictures my configuration:

    According to this configuration all of my LAN IP`s 192.168.3.x are using LoadBalancing and working with no problems.
    Except 192.168.3.55 which should use WAN2 as a the only GW for inbound and outbound… unfortunately only outbound traffic is going through WAN2

    In addition i`ve a lot of Port forwards on my default GW (WAN1) to IPs on my LAN 192.168.3.x. All of them are above port 500 and work with no issues.

    i`ve tried everything i can think of but no success so far :(



  • Sorry for the late reply. Few things to try… and ask..

    Does RDP work internally... Can you get to the server inside the network with pfsense?

    Also.. Any reason you have Outbound NAT to manual? Are you able to try automatic and try again for me?

    Are you just adding rules? rather than going via nat? or you using 1 & 1 nat?



  • @craigduff:

    Sorry for the late reply. Few things to try… and ask..

    Does RDP work internally... Can you get to the server inside the network with pfsense?

    Behind PFSense i`ve ESXi Server with couple of VMs few of them are Windows based.

    RDP is working internaly with no issues:

    Details: As you can see above 192.168.3.55 should be accessable via WAN2. In addition ive port forwarded RDP port to x.x.3.55 and no matter what i try to access: lets if i try to access x.x.3.55:3389 i can connect with no problems… if i try to access WAN2 IP:3389 i can access with no problems..., but from outside my network i don`t have access to WAN2 IP:3389 which again is port forwarded to x.x.3.55

    @craigduff:

    Also.. Any reason you have Outbound NAT to manual? Are you able to try automatic and try again for me?

    No specific reason for Manual over Automatic…Ive switched to Automatic = no changes. I still cant connect from outside.

    @craigduff:

    Are you just adding rules? rather than going via nat? or you using 1 & 1 nat?

    I`am not really sure i unerstand you question.



  • ok can you confirm you are going into the firewall section clicking on NAT and then adding in a port forward? If you are doing this, the NAT rules automatically create a rule this is under firewall rules… does that appear?

    Before you look at all this... Have you done the basics? Reboot Pfsense? That can clean up tables and cache. Also what equipment do you have before the pfsense? or does the ISP just plug into pfsense?

    I found in one of my problems RDP not working, this was because i had a Zyxel ADSL router in front and that was the problem. I rebooted and everything started to work...



  • @craigduff:

    ok can you confirm you are going into the firewall section clicking on NAT and then adding in a port forward?

    Precisely.

    @craigduff:

    If you are doing this, the NAT rules automatically create a rule this is under firewall rules… does that appear?

    No. not at all… Once the port forward is created, no additional rules are created under Firewall: Rules
    P.S. On WAN1 (Default GW) I`ve a lot of ports which are forwarded to different IPs on my LAN and non of them has additional rule automaticly created under Firewall:Rules and they are working just fine.

    @craigduff:

    Before you look at all this… Have you done the basics? Reboot Pfsense? That can clean up tables and cache.

    I`ve restarted the Pfsense just now and no effect.

    And after the restart I lost connection to the WebConfigurator…Ive restarted the WebConfigurator with no success on gaining access. 2nd reboot on the whole system didnt fix the new issue.
    I lost connection to the WebConfigurator even from the LAN... which is weird...

    This i call it a bad luck :)

    @craigduff:

    Also what equipment do you have before the pfsense? or does the ISP just plug into pfsense?

    ISP`s are connected directly to my Pfsense. No additional equipment/devices are before pfsense.

    @craigduff:

    I found in one of my problems RDP not working, this was because i had a Zyxel ADSL router in front and that was the problem. I rebooted and everything started to work…

    Well it`s not my case :)

    Iam really puzzled on this issue…



  • Wow that is bad luck, its lucky you rebooted now and found there is an issue, rather than later on if you had a power cut etc. I cant say i really understand whats going on… If you have rebooted and its not coming back on, surely that is a dodgy build of pfsense? What hardware is it on? Have you thought about virtualising it within your ESX environment? this is what i do.

    When you create a rule on the nat page "port forward" Right at the bottom there is an option for Filter rule association. This is what adds the rules.



  • @craigduff:

    Wow that is bad luck, its lucky you rebooted now and found there is an issue, rather than later on if you had a power cut etc. I cant say i really understand whats going on… If you have rebooted and its not coming back on, surely that is a dodgy build of pfsense? What hardware is it on? Have you thought about virtualising it within your ESX environment? this is what i do.

    When you create a rule on the nat page "port forward" Right at the bottom there is an option for Filter rule association. This is what adds the rules.

    The Pfsense has his own dedicated Hardware (server based) with 4 LAN Cards (2 for WAN and 2 for LAN)

    Ive thought about virtualising it on ESXi, but iam not really sure if this is ok in terms of SPoF or additional devices such as WIFI APs for example.

    Can you recommend which version to use in production as obviously the one i`am using has some issues….

    P.S. Ill reinstall PFsense and will reconfigure all from scratch hopfully its a bug in the release.



  • To be hoenst 2.0.2 is the latest and i am using it on other customer equipment. And its alright, i was on 2.0.1 for ages, but from my understanding there were bug fixes fixed in 2.0.2

    Something else i thought of… Can you enable logging on the rule so it has a blue exclamation mark on it? And then try external access and see what the system firewall log says?

    I would recommend a reinstall if you have rebooted and it hasnt come back online. I assume you have done loads of restarts on it before and its fine, up until now?



  • OK… Here We go again :)

    I`ve just reinstalled PFSense and reconfigured all settings from scratch.

    And now the conclusion:

    1. Ive noticed that whenever i create port forwarding from **WAN1** (Default GW) to the internal Lan Iam selecting as showed in the pic1 below:

    I really dont have reasonable explanation why… Ive just noticed that this set up works so I lived that way.

    All ports that are forwarded that way are working with no issues!

    2. Whenever i try to create the same port forwarding but from WAN2 it is not working!

    No Idea why…

    3. Thanks to @craigduff "When you create a rule on the nat page "port forward" Right at the bottom there is an option for Filter rule association. This is what adds the rules."..

    So I`ve made the respective changes to the port forwarding from WAN2 as shown on pic2 below:

    And voila :) It`s just working :)

    What I didn`t understand is why for WAN1 should be as per pic1 and for WAN2 as per pic2…

    I really want to Thank @craigduff for his time and effort!

    Respect!



  • No problem! It was my pleasure! I love Pfsense! Always will!


Locked