Multi WAN - Route Traffic Via One WAN Link
Hi, I have a LAN with 2 segments in the same subnet and two WAN links. Need to route segment 1 (192.168.0.10/24 - 192.168.0.40) via WAN 1 and segment 2 (192.168.0.41/24 - 192.168.0.70/24) via WAN 2. I've been trying for several days but traffic seems to route via the default gateway always. Attached is a pic of my LAN rules i made for testing (route LAN Net via Gateway 2). Could someone help me please.
kapara last edited by
First of all what/why are you trying to do this?
Second.. The source is the entire lan net and you need to specify a network range instead of the entire lan net.
The two WAN links I have are of different bandwidths and data limitations. So I need to divide users and also the rule I made is to test, to rout the whole LAN via the secondary WAN link. I tried creating Aliases to group users too but did not succeed.
Your gateway rule is protocol TCP only. Probably not what you want.
(192.168.0.10/24 - 192.168.0.40) via WAN 1 and segment 2 (192.168.0.41/24 - 192.168.0.70/24)
Those are not segments. They are ranges of IP addresses.
Do yourself a favor and do things like this on natural IP subnet boundaries instead of decimal.
The 31 addresses 192.168.0.10 through 192.168.0.40 would be a lot easier to deal with if they were, say, 192.168.0.32 through 192.168.0.63 which can be used in firewall rules as 192.168.0.32/27. 41-70 could be 64-95 or 192.168.0.64/27.
While you can use, in these examples, .32 and .63, and .64 and .95 for host addresses, I would not because if you ever decide to put these subnets on actual interfaces, those would be the network and broadcast addresses and therefore unusable. Along that same line of thinking I would also avoid using .33 and .65, which would be the router interface addresses. Exclude a couple more to reserve room for future CARP/HA.
Added 192.168.0.32/27 as an Alias and checked with the IP 192.168.0.37, but the result is the same. The traffic is still routed via the Default Gateway. Changed the rules as you mentioned from TCP to TCP/UDP as well. When creating Aliases, it says we can define a range as well as a Subnet. Attached Rules, Created Alias.
![fw rule.PNG](/public/imported_attachments/1/fw rule.PNG)
![fw rule.PNG_thumb](/public/imported_attachments/1/fw rule.PNG_thumb)
No idea what you're doing.
Why not create a network alias of 192.168.0.32 / 27 instead of all those host entries? That's sort of the point.
Why TCP/UDP Only? Why not any? As it is pings (protocol ICMP) will be blocked.
How are you testing?
This really does just work.
Did exactly what you said. Added a Network Alias as 192.168.0.27/27, Protocols - any, added the ip 192.168.0.37/27 to a pc on the LAN with manual proxy set to port 3128 (default), gateway set to pfsense, did not work. Checked with the subnet /24 which is the default on our LAN, still no difference. Where am I wrong now pls…..
How are you testing?
You are trying to establish different behaviors for different groups of hosts on a subnet.
You do not use a /27 netmask on the hosts because the subnet is a /24. You configure the hosts with a /24.
You use a /27 netmask to easily identify a group of hosts on the subnet with one firewall rule.
Oh. I see. Squid again.
Connections to squid are made on LAN.
Connections out from squid are made from the firewall itself.
Turn off squid and you will find everything works as you would expect.
I checked the outgoing IP with 'what is my ip' - mostly google result.
Turn off squid.
With Squid turned off, it works, tried both gateways and it works, but I need squid to work as well….....
Post in the Cache/Proxy forum.
Will do Derelict, thanx very much for your Expert Help….... :)