Route traffic from specific IP addresses to specific wan

  • I am getting second WAN connection installed on our network. There are clients in the to 199 range that I want to have all traffic go over the existing DSL connection. The second dsl connection must only be used by IP addresses that I have assigned outside of the DHCP pool mentioned above. On top of that these specific IP addresses must be able to use the old line too. In a perfect world connections on the specified IP addresses will go out on the second line and borrow bandwidth from the existing wan connection if required. Possible?

  • Possible.  Use gateway groups and policy based routing.

    For the PCs that need to use both DSL connections, make a load-balanced gateway group.  For the other PCs, just make a fail-over gateway group with one DSL in Tier1 and the other DSL in Tier2.

  • Fail over trick is a great idea! Thanks.  I will try that when the line is installed and report back.

  • I do not mean to hijack your question but I am trying to do some what of the same thing. The difference being I just need 1 computer to connect to the internet using the other dsl line. Really thought it would just be as easy as creating a rule to forward outbound traffic to the second wan. This does not work. So the suggested method above is the route to take?


  • Rebel Alliance Developer Netgate

    All that you need is a rule above the default catch-all rule to direct their traffic to another gateway (or a gateway group that does failover).

    The rules match from the top down and the first match wins. If the rule they match sends their traffic out another gateway, it will go that way.

  • If I put a rule directing just email port to failover gateway it should work? I'm question this because I did it and the email has stopped working, the states table show closed :syn sent.


  • Rebel Alliance Developer Netgate

    Yes, it should work for anything you can match with a firewall rule. Some ISPs block outbound SMTP on port 25 though. If you have only mail clients, not a mail server, make sure that your mail server and clients are set to use tcp/587 for authenticated submission.

    CLOSED:SYN_SENT means that one side sent a SYN packet to establish a connection, but the other side did not respond (could be blocked, ignored, or otherwise discarded/misrouted)

  • Thank you for your explanation @jimp, I questioned this because as I said, it was working and then after change the rule to pass through the failover gateway it stopped working, perhaps something misconfigured, as I dont have this scenario anymore, I will try later.
    Someone told here in this forum to put a rule on top allowing any to any (port,src and dst) passing through failover gateway, this will not allow any traffic or it will just route the traffic?

    Thank you again!

  • that will pass and route the traffic. If the WAN you're sending it out of works in general (change the rule to HTTP for instance and try), but SMTP doesn't work, then I'd guess that provider blocks SMTP (standard on residential class connectivity).

  • Alright, thank you guys!

Log in to reply