Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Policy routing (set clients use specific WAN) issues

    Firewalling
    4
    11
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      costasppc
      last edited by

      Hello,

      I am trying to implement Policy routing (set clients use a specific WAN, mostly because our WANs do not have equal speed). I have created LAN rules where a LAN IP uses a specific Gateway. I can see that those machines are "going out" from a specific ISP (based on pfsense.org/ip.php), but when from one of these clients I do a traceroute I see that they use a different ISP!

      Is this based on the "Default Gateway" of PFsense, or should I do something else for policy routing?

      Best regards

      Kostas

      1 Reply Last reply Reply Quote 0
      • A
        archy
        last edited by

        Use advance NAT you may find the answer.

        1 Reply Last reply Reply Quote 0
        • C
          costasppc
          last edited by

          Thank you,

          You mean I should create outbound NAT rules for every alias I use in the LAN > WAN rules?

          Bet regards

          Kostas

          1 Reply Last reply Reply Quote 0
          • T
            tim.mcmanus
            last edited by

            I used a firewall rule.  See enclosed screen shot.

            I have one computer that is on my LAN that I want to go out my WAN2 connection.  Because I am lazy (proud of it too), I didn't bother moving the 10.0.1.240 server to the 10.0.2.2/24 network.  Instead, I created a firewall rule that moves all of the traffic coming from 10.0.1.240 out of the WAN2 gateway.  Below that I have a LAN rule to move everything out the WAN gateway.

            ![Screen Shot 2013-04-23 at 7.34.33 PM.png](/public/imported_attachments/1/Screen Shot 2013-04-23 at 7.34.33 PM.png)
            ![Screen Shot 2013-04-23 at 7.34.33 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-04-23 at 7.34.33 PM.png_thumb)

            1 Reply Last reply Reply Quote 0
            • C
              costasppc
              last edited by

              I have done the same thing (see image).

              However, when I do a traceroute from these machines, I see the main WAN as next hop after Pfsense.

              Can you check, please if this happens also to you?

              Best regards

              Kostas

              LAN2WAN_rule.png
              LAN2WAN_rule.png_thumb

              1 Reply Last reply Reply Quote 0
              • T
                tim.mcmanus
                last edited by

                I'm going to assume you're using VLANs on your WAN connection because of the way you have them tagged.  You might have a VLAN issue that's not routing the packets to the correct gateway.

                They way I check mine is to go to the URL checkip.dyndns.org and see which IP is being displayed.

                1 Reply Last reply Reply Quote 0
                • C
                  costasppc
                  last edited by

                  Thank you,

                  VLANs are working fine. When I use a WAN IP check tool, like yours or pfsense.org/ip.php, it shows the correct WAN IP the client should follow. The problem is in traceroute.

                  Best regards

                  Kostas

                  1 Reply Last reply Reply Quote 0
                  • D
                    dhatz
                    last edited by

                    Well, since in the policy-routing rules you've posted in Reply #4 above you're explicitly specifying the TCP protocol, whereas traceroute uses ICMP, it all makes perfect sense.

                    1 Reply Last reply Reply Quote 0
                    • C
                      costasppc
                      last edited by

                      ??? ??? ??? ???

                      Thank you,

                      Shouldn't show the next hop of the preferred ISP?

                      Best regards

                      Kostas

                      1 Reply Last reply Reply Quote 0
                      • T
                        tim.mcmanus
                        last edited by

                        Look at the screen shot I attached earlier and how there is an "*" in the protocol column.  That means anything from my 10.0.1.240 goes out the gateway.

                        However, you are only sending TCP out of your gateways.  Traceroute does not always use TCP packets.  Since this is the case, the trace route will only go out the default gateway since it's not using TCP.

                        You need to change the protocol from "TCP" to "Any" or "All" so all of your network traffic goes out that gateway.  That's why you're not seeing the correct information in your traceroute.  Make that change and then traceroute again.  It'll work properly.

                        1 Reply Last reply Reply Quote 0
                        • C
                          costasppc
                          last edited by

                          You are absolutely right (hat off-bow).

                          I will change it to *.

                          Best regards

                          Kostas

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.