Policy routing (set clients use specific WAN) issues

costasppc · Apr 20, 2013, 10:41 AM

Hello,

I am trying to implement Policy routing (set clients use a specific WAN, mostly because our WANs do not have equal speed). I have created LAN rules where a LAN IP uses a specific Gateway. I can see that those machines are "going out" from a specific ISP (based on pfsense.org/ip.php), but when from one of these clients I do a traceroute I see that they use a different ISP!

Is this based on the "Default Gateway" of PFsense, or should I do something else for policy routing?

Best regards

Kostas

archy · Apr 22, 2013, 8:25 PM

Use advance NAT you may find the answer.

costasppc · Apr 22, 2013, 8:51 PM

Thank you,

You mean I should create outbound NAT rules for every alias I use in the LAN > WAN rules?

Bet regards

Kostas

tim.mcmanus · Apr 23, 2013, 11:30 PM

I used a firewall rule. See enclosed screen shot.

I have one computer that is on my LAN that I want to go out my WAN2 connection. Because I am lazy (proud of it too), I didn't bother moving the 10.0.1.240 server to the 10.0.2.2/24 network. Instead, I created a firewall rule that moves all of the traffic coming from 10.0.1.240 out of the WAN2 gateway. Below that I have a LAN rule to move everything out the WAN gateway.

![Screen Shot 2013-04-23 at 7.34.33 PM.png](/public/imported_attachments/1/Screen Shot 2013-04-23 at 7.34.33 PM.png)
![Screen Shot 2013-04-23 at 7.34.33 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-04-23 at 7.34.33 PM.png_thumb)

costasppc · Apr 24, 2013, 12:47 PM

I have done the same thing (see image).

However, when I do a traceroute from these machines, I see the main WAN as next hop after Pfsense.

Can you check, please if this happens also to you?

Best regards

Kostas

tim.mcmanus · Apr 24, 2013, 2:14 PM

I'm going to assume you're using VLANs on your WAN connection because of the way you have them tagged. You might have a VLAN issue that's not routing the packets to the correct gateway.

They way I check mine is to go to the URL checkip.dyndns.org and see which IP is being displayed.

costasppc · Apr 24, 2013, 3:16 PM

Thank you,

VLANs are working fine. When I use a WAN IP check tool, like yours or pfsense.org/ip.php, it shows the correct WAN IP the client should follow. The problem is in traceroute.

Best regards

Kostas

dhatz · Apr 24, 2013, 4:42 PM

Well, since in the policy-routing rules you've posted in Reply #4 above you're explicitly specifying the TCP protocol, whereas traceroute uses ICMP, it all makes perfect sense.

costasppc · Apr 24, 2013, 5:52 PM

??? ??? ??? ???

Thank you,

Shouldn't show the next hop of the preferred ISP?

Best regards

Kostas

tim.mcmanus · Apr 24, 2013, 5:59 PM

Look at the screen shot I attached earlier and how there is an "*" in the protocol column. That means anything from my 10.0.1.240 goes out the gateway.

However, you are only sending TCP out of your gateways. Traceroute does not always use TCP packets. Since this is the case, the trace route will only go out the default gateway since it's not using TCP.

You need to change the protocol from "TCP" to "Any" or "All" so all of your network traffic goes out that gateway. That's why you're not seeing the correct information in your traceroute. Make that change and then traceroute again. It'll work properly.

costasppc · Apr 24, 2013, 6:28 PM

You are absolutely right (hat off-bow).

I will change it to *.

Best regards

Kostas