Route traffic to a specific gateway depending on the packet type



  • Hello!

    I have a LAN with multiples users (20+) and 2 gateways, pfsense acting as firewall and router between.

    Is there a way to route traffic to a specific gateway depending on the packet type? For example, id like to route some low bandwidth but critical services (SNMP, SSH, SIP, etc) via one gateway and other heavy traffic (streaming, torrent, FTP, etc) through the other higher bandwidth gateway. I'm think id probably need to route packets according to layer7 or source/destination ports but i'm unsure how to proceed in pfsense or even if its possible!

    Any leads? tips?

    Thank you very much!



  • Hey, Julio!

    I am new to pfSense myself, and I am coming from a Cisco world. Basically the only way I am aware of that you can do what you are trying to is Policy Based Routing (PBR). This is fully supported on pfSense, although to be brutally honest I don't know how to configure it.

    https://doc.pfsense.org/index.php/What_is_policy_routing

    This should point you in the right direction, though.



  • Hello Michael,

    I've read a bit about it shortly after my post and I believe you are right! It's likely to be the best way to achieve my goal.

    I'm having my doubts on how to set this up with FailOver currently configured, however.

    Anyhow, it's in a lab VM so I can mess around and revert to a previous state if necessary. I'll post any good findings :)



  • proto source port destination port gateway queue schedule

    ipv4 tcp/udp lan net * * (ports of snmp,ssh,sip) ISP2
    ipv4 tcp/udp lan net * * * ISP2 (torrent, streaming, browsing,ftp etc)



  • I've configured something similar, for both inbound and outbound but its doesn't quite work.

    I see in the firewall logs that its blocking a lot of inbound/outbound packets to/from my torrent machine but the torrents are still downloading at full speed on the interface its supposed to be blocked…

    As I have failover configured, I would think it could be interfering with the policy routing but wouldn't simply block all traffic? Cause right now, even if the logs are showing a lot of packets blocked on the proper interface, It keeps downloading on that same interface...