Outbound NAT rules to select non default (WAN link) gateway
-
Hi - apologies if I have posted this in the wrong section.
I recently had a 2.0.3 version of pfsense die on me due to hardware failure - the good news is I had backed up the config the night before so was able to get up and running with the config quickly using the latest build (2.1.4 release-i386).
It appears that the behaviour of setting up how LAN clients route out has changed a bit in between versions.
What I am trying to restore is the ability to define a gateway for a particular LAN client (we have 4 WAN links) while leaving the majority on the default WAN gateway. In 2.0.3 this was as simple as defining a rule under Firewall > Rules > Lan and creating a new entry with the source as a single host or alias destination any, port any, action pass but modifying Gateway under Advanced features to the different (non default) gateway. This would then allow me for example to use a different outbound internet connection for different machines on the network.
Since rebuilding the system is forcing all traffic through the default WAN link - and if I try the rule as above I lose internal DNS completely and still end up going out the wrong WAN link.
The reason I have posted this under NAT is because I have partially resolved this by going into Firewall > NAT > Outbound and switching to Manual Outbound and inserting a rule for an entire LAN subnet (a second subnet) setting the Interface to the link I want to access the internet through, protocol any, source network (192.168.1.0/24), Translation Address set to interface address. This when used in conjunction with a 'matching' rule under Firewall > Rules > LAN with an any to any rule with Advanced Feature Gateway set to the same link as defined in the outbound NAT rule works.
The issue is I cannot seem to do the same for single IP's in either of the LAN's, no matter how far up or down the NAT > Outbound rules I create the /32 entry for the specific IP or the matching rule in the Firewall > Rules section.
I hope I have explained this clearly enough for someone to be able to help me with this as its driving me bonkers :|
Cheers
-
Hi!
Just to know if you have solved that problem. I'm on v2.2 and having quite the same problem : I've defined a specific rule for specific hosts to use another GW, but the rule is not working : all the traffic is routed through the default GW, as I can verify with a trace route…
Have a nice day,
Thilroy
-
Reading this..
Make sure you turn off AON as you did.
Make sure you turn off ALL TSO and LRO offloading, to test even disable checksum though you will need this. In 2.2 the system tunables have TSO set to 1 change that to 0. That is sort of redundant to the checkbox but will override if I'n not mistaking.
TSO and LRO should never be used anywhere on a passive device like a bridge, firewall, switch, etc. It was created for a end point. Not even Intel NICs will work despite numerous people running on it, what they don't realize is the scrubbing will not normalize any packets, it will break PMTU and cause a initial slow down on all connections and it will drop a good amount of traffic. End host is a different story but TSO and LRO breaks scrubbing.
Let me know if your still seeing this issue if you can post your config.xml and do a find and replace to mangle your IPs and anything else revealing. Open it in your browser and run through it to check first, don't want those public probably.
Last but not least, if you did a restore from a earlier version changes are something is there that shouldn't be. What I had to do was manually compare the new 2.2 base config.xml and actually move sections then re-imported. It took me hours.
pfScrub leave enabled, make sure no-df IS NOT checked (breaks PMTU also) and let me know your hardware.
Pf scrub is so poorly documented I had to go through source, tons of it just to figure out what exactly it does. Its not fun, and I only got to understand part of it but the docs are so limited.
– Also question did you happen to order the rules properly? silly question but have to ask.
-
You need rules that negate policy routing first, like for LAN to DMZ, LAN to VPN, etc. They should probably have the default gateway set.
Then you need your policy routing rules that match the traffic you want sent to a specific gateway.
Then you need your catch-all rule that sends all other traffic on its way.
https://doc.pfsense.org/index.php/What_is_policy_routing
https://doc.pfsense.org/index.php/Bypassing_Policy_Routing
-
@Derelict, agree with you on that but I wanted to help clarify a few things for him and others since those docs are limited and there are so many variations with them. Actual photos would be good I once created a guide for 1.2.3 on bridging with the help of others it was a PDF and I would like to do the same here but I just need to see people's configs so I can narrow in on it and patch it or suggest a change to the creators of this magnificent system.
pfSense will blow away most any firewall I've touched as far as Layer3 and stateful goes.
Not sure if he is hosting internal DNS servers, or what. Obscure the config.xml but leave it's structure intact, mangle the vital info and I can help you. There is a bug in apinger and the routing tables which add the entry if people use a custom monitor IP to test for internet up vs gateway up. I confirmed this last week but there is a bigger issue at play here and I need to see a lot of configs. Going to ask admins for approval on that and open a thread.
The other issue is that reply-to is bad habit since it's being sent through the network in the header and ultimately that is more overhead and margin for failure if he is passing in to another router, Cisco doesn't like these and some IOS configs will drop them right off the bat.
Another hint: Virtual IPs have the potential to do this if you're not using IPalias and using ARP. If your upstream is on the same VHID then you could be running in to a conflict. Even VLAN tagging depending on your config and WAN. So many possibilities.
I won't jump to any conclusions until I get more info. If you can get it to me in the next hour I will help otherwise wont be around until tomorrow night.
Take care guys and stick with pfSense, I've ran this for 900 days before I decided to upgrade. Posted the photos too for those in doubt awhile ago. It's rock solid but there is a lot to it. At the same time, it also gives you much more power then a web based auto configurator type router. I prefer CLI but the pfSense interface is great.
We roll 10GigE (though only 4 is provisioned) through clusters of firewalls some of which are pfsense, most linux and cli only but I love the simplicity of the gui on pfsense. Have got hit with attacks everyday, most minor some major that will slow us down but we have a special system for that now to offload what is dumped on our firewalls. once it's configured, running and stable leave it alone you wont have a problem if your hardware keeps up.
If you post the config or send it to me and I will obscure it for you then post it, I know I can help a lot of people in a similar situation. Too many variables to give you an answer without the config.
For everyone else too, need
- Hardware info from dmesg in /var/log
- Backup the config.xml and mangle the IPs and anything else sensitive but don't remove the structure or it's contents.
Take care guys, btw I frequently make spelling mistakes since I'm in a rush here always but the bottom line is I will take the time to help you I just need a lot of info or it's guess work and I can't make assumptions.
-
Hi!
Just to know if you have solved that problem. I'm on v2.2 and having quite the same problem : I've defined a specific rule for specific hosts to use another GW, but the rule is not working : all the traffic is routed through the default GW, as I can verify with a trace route…
Have a nice day,
Thilroy
Thilroy, make sure that you set custom LAN out rules before the default LAN rule (assuming not floating) also are you using a custom monitor ip?
