Policy based routing not working in dual wan setup, help appreciated



  • Hi,

    This might be a newbie problem, because I'm no network admin. Actually, I'm trying to ask for help for first time here in pfSense forums.

    I have enjoyed pfSense as home router for a couple of years, but up to now I have done just basic things, like configuring DHCP and DNS. I have set up IPsec VPN, some time ago went through a version upgrade which basically ended up as reinstall, diagnosed some issues a few times, the most interesting being finding out that NIC is physically damaged after lightning discharge close to my house. That pretty much sums up my experience with pfSense.

    I'm on 2.2.4. version running on Intel Atom D525 MB.

    Now, due to work changes, we had to consider an ISP change. Current DSL provider is not able to offer more than .5Mbps upload speed, not sufficient for the new work needs. So I took in a 4G provider, it's been 2 weeks now and I can say that quality of the traffic (delay, packet loss) is similar, max speed is not stable, but the main thing here is that average speeds are much much better. So, it is going to stay. I could dismiss previous ISP (and make my life simpler), but thought, why not learn something and decided to try dual wan solution.

    I set up dual wan according to documentation and it works. I have made what seem to be pretty classic, one load balance and two failover gateway groups and put rule for LAN interface to use load balance gateway group. But I have at least two things where I need policy based routing: my cloud backups must go out the fastest WAN and internetbanking sessions are dropped by the bank if packets go different routes for one seesion. I tried to add rules on LAN interface before load balance rule, but those doesn't seem working. I have spent couple of hours Google-ing and reading, but with no result. So maybe somebody might help me by directing me somewhere or asking me the right questions.

    I'm copying the policy rules I believe resulted from me creating 2 abovementioned rules in web interface here (from command line: pfctl -sa):

    pass in quick on LAN interface inet from backup machine ip address to <negate_networks>flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
    pass in quick on LAN interface route-to (WAN2 interface WAN2 router=gateway ip address) inet from backup machine ip address to any flags S/SA keep state label "USER_RULE: my comment here"
    pass in quick on LAN interface route-to (WAN1 interface WAN1 provider gateway ip address) inet from (my lan subnet).0/24 to <alias name defined by me> flags S/SA keep state label "USER_RULE: my comment here"

    with balance rules following those. Of course, there is a lot of rules before these (and after), but those must have come from pfSense creating rules automatically.

    My first question is: does those rules seem to be correct? First two lines are the result of me putting into web interface that I want all traffic from backup machine go to single gateway. For example, I do not understand why there are two lines for that.

    Last line is where I want all communication to internetbanking, defined by alias, where I have put couple of ip addresses and their domain(s), go to failover gateway group where WAN1 provider is primary. Here I do not understand a lot of things, for example, why there is just primary provider's gateway ip in a rule definiton? Shouldn't it be both? Why isn't alias name decoded somehow? Isn't this https://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset the right way to look at actual rules?

    Second question. If I understand it right, my custom rules are not even close to being at the beginning of the list of the rules, meaning that there is possibility that some earlier rule matched my traffic. How do find out if there are no such rule(s)?

    Also, I admit I have played with rules, e.g. I tried to add them in Floating section instead of LAN, I created and deleted several rules in a process of trial, etc Is there a possibility that some mess was not cleaned up automatically when I deleted my trials?

    Any suggestions, corrections, questions appreciated! :)

    Veiksmi,
    Jānis</negate_networks>



  • please post a screenshot of your Lan rules



  • Screenshot attached. Tried to hide some names, hopefully the idea is still clear.