Forcing traffic from an IP address to leave via a specific gateway



  • Hi,

    I'm trying to force all traffic from a specific machine to leave via a specific gateway, but I can't seem to get it to work correctly.

    I have set up two rules for testing purposes.

    One is that for any TCP traffic to a certain IP address ( 8.8.8.8 ) has to go through Gateway2, the other is that all traffic from the IP address of the machine should go through Gateway2 (rules set up under Firewall -> Rules -> LAN). These rules are the first two rules after the default anti-lockout rule.

    If I go to whatismyip.com (or equivalent) it does report the correct public IP address for Gateway2. However a tracert to 8.8.8.8 seems to leave via Gateway1.

    Is this a peculiarity of tracert or am I doing something wrong?

    Many thanks in advance
    bb



  • Are you also using 8.8.8.8 as a DNS Server, or a gateway monitor IP or?
    Those things might make a route themselves to 8.8.8.8



  • @phil.davis:

    Are you also using 8.8.8.8 as a DNS Server, or a gateway monitor IP or?
    Those things might make a route themselves to 8.8.8.8

    Hi,

    Thanks for taking the time to try and help.

    I changed the address to that of a website (184.154.165.130) and the behavior is still the same.

    Can you think of anything else I can try to diagnose the problem or remedy whatever idiocy I have done?

    Many thanks
    bb



  • One is that for any TCP traffic to a certain IP address ( 8.8.8.8 ) has to go through Gateway2

    I should have read more carefully. traceroute (and ping) are ICMP, not TCP or UDP. A rule for TCP will not match traceroute packets.
    Make your rule for all protocols, or make another rule for ICMP protocol.



  • @phil.davis:

    One is that for any TCP traffic to a certain IP address ( 8.8.8.8 ) has to go through Gateway2

    I should have read more carefully. traceroute (and ping) are ICMP, not TCP or UDP. A rule for TCP will not match traceroute packets.
    Make your rule for all protocols, or make another rule for ICMP protocol.

    So it was idiocy on my part!

    Thank you so much for clearing that up.

    Kindest regards
    bb


Log in to reply