Source based routing



  • I am in the middle of changing over internet providers - I currently have 2 adsl connections, both with static public IP's, and 2 adsl routers/modems.
    I host my own website on one of those public IP's and also an SMTP server for said domain lets call it: "white.org"
    On the second adsl connection I also host a SMTP server (same server just serving both domains), lets call this domain: "yellow.org"

    The problem is I need to keep both of these domains up for a period of time, and have those services available.

    Due to security measures such as reversepathfiltering I need to do some funky stuff with the nat/routing within my 'zone' (ie: on the firewall end – pfsense)

    Is is possible with PFsense to configure 'source based routing'  -- Im not sure whether I have the terminology correct here: here is a link to exactly what I mean http://www.wlug.org.nz/SourceBasedRouting

    Basically I want all requests that come into my network via white.org to exit via that same gateway and vice versa for yellow.org

    white.org's internal ip on the router is 172.16.32.1 and I have configured pfsense wan0 interface with the ip of 172.16.32.2
    yellow.org's internal ip on its router is 192.168.1.1 and I have configured pfsense wan1 interface with the ip of 192.168.1.2

    pfsense lan IP is 192.168.16.1 <– SMTP server is at 192.168.16.253 (LAN is actually on the network 192.168.69.x) ie:192.168.16.253 is the external interface of the ISA server.
    pfsense DMZ 192.168.6.1 <-- the webserver (hosting the website for white.org) has an IP of 192.168.6.32

    I have attached a diagram to help with understanding the problem.

    My apologies if I have been unclear anywhere within this post, please let me know if you would like me to clarify anything.

    Many Thanks
    Jurgen




  • I figure I'm going to need to apply some policy based routing, but not so sure what the configuration should look like and whether or not I need to use advanced nat. That is; if my above scenario is in fact feasible with pfsense.



  • I'm too impatient today to try and make real sense of your numbers and diagram, but I think what you are trying to do should be fairly easy. Forget all that Linux crazy talk and check out some of the configurations discussed in the forums. If you are just concerned about incoming connections, pfSense will route the connections that come in off a particular WAN back out that WAN automatically. You need advanced outbound NAT to specify a particular source IP,etc for outgoing connections. Policy routing would come into play if you need to route traffic to/from particular hosts/ports to a specific WAN connection/pool.



  • Thanks very much, you have just clarified for me that in fact what I have done is correct.
    I didn't think it would be so easy (what comes in from one wan gateway goes out via the same gateway).

    for anyone else who is in the same situation; just setup your multiwaned pfsense box, configure the manual outbound nat rules for both the wan and opt1 (wan2) interfaces to allow any destinations, and source to be the LAN network.
    configure firewall rules for your DMZ interface (make sure you tick the not box and specify the LAN subnet in destinations (to disallow any communication between the lan and dmz).
    thats pretty much it apart from the port forwarding rules (set under nat inbound) for your services ie: www, smtp etc.

    pfsense is definitely powerful and easy to use.


Log in to reply