Default gateway with many Lan a multiwans
-
Hello, I have a question about gateway in firewall rules and default gateway setting.
I have 3 LAN interface and 2 WAN interface.
Wan are configured with a Group for failover called "MultiWan". When one interfaces is down or has high latency the second should be used.
I cannot set this MultiWan group as default gateway in pfsense. To use MultiWan group as gateway every LAN has a firewall "catch all" rule with a specific gw set to "MultiWan" (otherwise it will use the single default one).
This works but I have a problem for LAN to LAN routes, in these cases the catch_all firewall rule gets the request and sets the gateway to MultiWan also if the request sould be routed to other LAN. To solve this problem I had to add a firewall route for every LAN to LAN routes (before the catch-all to multiwan) with the gateway setting set to default as the notice said:
Leave as 'default' to use the system routing table. Or choose a gateway to utilize policy based routing.
This way it works because the request is not routed to Multiwan but to the correct interface by the default routing table.
My question is: is this behavior/configuration correct? Are these Lan-to-Lan rules necessary to back to default routing or is there an alternative?
An alternative would be a catch-all rule with gateway to multiwan applied only to all unknow destination but I can not find this option in firewall rules. For "unknow" destination I mean every address out of Lan pfsense known subnets that will use the default gateway.
Thank you
-
Yes, it is correct and expected.
https://doc.pfsense.org/index.php/What_is_policy_routing
https://doc.pfsense.org/index.php/Bypassing_Policy_Routing
-
Thanks
-
Hm, I am wondering why you will not be using the laod balancing modus and go either with the fail over modus
instead of!? if you configure load balancing you get both variants in one solution, please correct me if I am wrong!If you set up the both WAN ports and also policy based routing and then one WAN line fails, the entire
load will be pushed over the other WAN interface, but if both WAN interfaces are up, you profiting from
them both also. -
This can be interesting… but can I choose (for some rules) to force a specific gw? For example I need to route the smtp traffic to my smtp provider by a specific interface, not from both.
-
yes, firwall rules work from TOP–>DOWN (first match, wins)
so this would work:
1) source:any destination:smtp gateway: isp1 . . . 5) source any destination:any gateway: loadbalance_gwthis would not get the correct result:
. . . 5) source any destination:any gateway: loadbalance_gw 6) source:any destination:smtp gateway: isp1 -
If I understand the loadbalancer is a good idea, but this do not solve the problem: I need to set all ruote lan to lan with "default" as gateway setting to let pfsense use the default routing table.
-
If I understand the loadbalancer is a good idea, but this do not solve the problem: I need to set all ruote lan to lan with "default" as gateway setting to let pfsense use the default routing table.
This depends on what kind of way you are using the load balancing mode.
- policy based routing
- service based routing
- session based routing
Would be the most common way to realize it clean and stable.
-
Thanks you… I will check for it
-
If I understand the loadbalancer is a good idea, but this do not solve the problem: I need to set all ruote lan to lan with "default" as gateway setting to let pfsense use the default routing table.
you just need to prevent that traffic from LAN1 –> LAN2 doesn't go over the loadbalancer right ?
-create an alias that includes ALL your LAN subnets
-add on the lan1/2/3 a firewall rule on TOP that states: source:any | destination: your_alias | gateway: *
-
I may set the loadbalancer for all destination NOT in this local-subnets alias? Am I right?
-
yes, that would work also.
-
This can be interesting… but can I choose (for some rules) to force a specific gw? For example I need to route the smtp traffic to my smtp provider by a specific interface, not from both.
I do this because I have one WAN interface with static IPs and the other is DHCP. SpamHAUS blocks SMTP from my ISP's DHCP block (for obvious reasons), so I need to force traffic from that server out the one interface. This is the rule I have in place to do that (see attached).
The server is on the LAN which has a different default gateway, and WAN2GW has the static assignment. So I created a rule that says all outgoing traffic must use that gateway. Works like a charm.
