• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Policy routing (set clients use specific WAN) issues

Scheduled Pinned Locked Moved Firewalling
11 Posts 4 Posters 2.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    costasppc
    last edited by Apr 20, 2013, 10:41 AM

    Hello,

    I am trying to implement Policy routing (set clients use a specific WAN, mostly because our WANs do not have equal speed). I have created LAN rules where a LAN IP uses a specific Gateway. I can see that those machines are "going out" from a specific ISP (based on pfsense.org/ip.php), but when from one of these clients I do a traceroute I see that they use a different ISP!

    Is this based on the "Default Gateway" of PFsense, or should I do something else for policy routing?

    Best regards

    Kostas

    1 Reply Last reply Reply Quote 0
    • A
      archy
      last edited by Apr 22, 2013, 8:25 PM

      Use advance NAT you may find the answer.

      1 Reply Last reply Reply Quote 0
      • C
        costasppc
        last edited by Apr 22, 2013, 8:51 PM

        Thank you,

        You mean I should create outbound NAT rules for every alias I use in the LAN > WAN rules?

        Bet regards

        Kostas

        1 Reply Last reply Reply Quote 0
        • T
          tim.mcmanus
          last edited by Apr 23, 2013, 11:30 PM

          I used a firewall rule.  See enclosed screen shot.

          I have one computer that is on my LAN that I want to go out my WAN2 connection.  Because I am lazy (proud of it too), I didn't bother moving the 10.0.1.240 server to the 10.0.2.2/24 network.  Instead, I created a firewall rule that moves all of the traffic coming from 10.0.1.240 out of the WAN2 gateway.  Below that I have a LAN rule to move everything out the WAN gateway.

          ![Screen Shot 2013-04-23 at 7.34.33 PM.png](/public/imported_attachments/1/Screen Shot 2013-04-23 at 7.34.33 PM.png)
          ![Screen Shot 2013-04-23 at 7.34.33 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-04-23 at 7.34.33 PM.png_thumb)

          1 Reply Last reply Reply Quote 0
          • C
            costasppc
            last edited by Apr 24, 2013, 12:47 PM

            I have done the same thing (see image).

            However, when I do a traceroute from these machines, I see the main WAN as next hop after Pfsense.

            Can you check, please if this happens also to you?

            Best regards

            Kostas

            LAN2WAN_rule.png
            LAN2WAN_rule.png_thumb

            1 Reply Last reply Reply Quote 0
            • T
              tim.mcmanus
              last edited by Apr 24, 2013, 2:14 PM

              I'm going to assume you're using VLANs on your WAN connection because of the way you have them tagged.  You might have a VLAN issue that's not routing the packets to the correct gateway.

              They way I check mine is to go to the URL checkip.dyndns.org and see which IP is being displayed.

              1 Reply Last reply Reply Quote 0
              • C
                costasppc
                last edited by Apr 24, 2013, 3:16 PM

                Thank you,

                VLANs are working fine. When I use a WAN IP check tool, like yours or pfsense.org/ip.php, it shows the correct WAN IP the client should follow. The problem is in traceroute.

                Best regards

                Kostas

                1 Reply Last reply Reply Quote 0
                • D
                  dhatz
                  last edited by Apr 24, 2013, 4:42 PM

                  Well, since in the policy-routing rules you've posted in Reply #4 above you're explicitly specifying the TCP protocol, whereas traceroute uses ICMP, it all makes perfect sense.

                  1 Reply Last reply Reply Quote 0
                  • C
                    costasppc
                    last edited by Apr 24, 2013, 5:52 PM

                    ??? ??? ??? ???

                    Thank you,

                    Shouldn't show the next hop of the preferred ISP?

                    Best regards

                    Kostas

                    1 Reply Last reply Reply Quote 0
                    • T
                      tim.mcmanus
                      last edited by Apr 24, 2013, 5:59 PM

                      Look at the screen shot I attached earlier and how there is an "*" in the protocol column.  That means anything from my 10.0.1.240 goes out the gateway.

                      However, you are only sending TCP out of your gateways.  Traceroute does not always use TCP packets.  Since this is the case, the trace route will only go out the default gateway since it's not using TCP.

                      You need to change the protocol from "TCP" to "Any" or "All" so all of your network traffic goes out that gateway.  That's why you're not seeing the correct information in your traceroute.  Make that change and then traceroute again.  It'll work properly.

                      1 Reply Last reply Reply Quote 0
                      • C
                        costasppc
                        last edited by Apr 24, 2013, 6:28 PM

                        You are absolutely right (hat off-bow).

                        I will change it to *.

                        Best regards

                        Kostas

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received