Very strange dual wan behavior–>policy based routing not working



  • hi,
    this is my first post here,
    please be patient.

    My setup is as folows:
    WAN x.x.x.190/27
    WAN2 x.x.16.177/16
    I configured my pfsense following this howto http://doc.pfsense.org/index.php/MultiWanVersion1.2,
    -added CARP VIPs on my first wan
    -created 1:1 NAT for my ips
    -created a rule on the LAN so all of my servers leaves on the correct gateway

    All works fine except that I can not connect to my services from any IP from the second WAN.
    I can se request reaching my servers with tcpdump and on the firewall log
    then enter the pfsense box (still tcpdump), but they does not leave the box. I can see all other packets leaving in the firewall logs but can not see those.

    Thanks for helping

















  • i solved my problem putting a router befor my wan2 nic.
    the problem seems policy based routing and the routing table

    even if i have a rule in my lan tab on the firewall,
    Proto  Source  Port  Destination  Port  Gateway
    *        Notranji  *      *              *    x.x.x.161      (Notranji is an alias for all my servers internal ips)

    all the traffic that should go to isp2 is not routed by this policy but according to the routing table,
    here is mine before putting the router inforont of WAN2 nic

    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default                    x.x.x.161    UGS        0      165    vr0
    x.x/16                link#1            UC          0        0    rl0        <–here all my trafic is routed to the WAN2 gateway but according to my LAN rule it
    x.x.0.1        00:90:1a:a0:14:01  UHLW        1    1533    rl0    121                                        should go to WAN1 gateway
    localhost          localhost          UH          0        0    lo0
    192.168.0          link#2            UC          0        0    re0
    192.168.0.3        00:01:6c:af:04:ed  UHLW        1      508    re0  1162
    192.168.0.21      00:17:08:37:a1:f3  UHLW        1    23638    re0  1176
    192.168.0.26      00:19:db:c8:68:a9  UHLW        1    7108    re0  1123
    192.168.0.27      00:18:8b:7e:e7:a3  UHLW        1    10306    re0  1199
    192.168.0.31      00:19:db:d5:aa:15  UHLW        1  375631    re0    898
    192.168.0.40      00:1d:92:01:f4:f7  UHLW        1    2617    re0    932
    192.168.0.52      00:01:6c:3c:fd:12  UHLW        1      803    re0  1176
    192.168.0.86      00:0f:fe:3f:02:5c  UHLW        1    7580    re0    955
    192.168.0.90      00:13:d3:d6:55:bb  UHLW        1    19875    re0  1195
    192.168.1          link#3            UC          0        0    re1
    192.168.1.3        00:14:2a:2b:0b:cb  UHLW        1    4439    re1    949
    192.168.1.5        00:11:5b:ef:6e:6f  UHLW        1    9650    re1    969
    192.168.1.132      00:12:a9:56:1a:76  UHLW        1    3830    re1  1134
    192.168.1.137      00:13:e8:75:3c:79  UHLW        1    6254    re1  1196
    192.168.1.148      00:16:ce:20:10:44  UHLW        1    24456    re1  1101
    192.168.1.150      00:18:de:0f:9c:1c  UHLW        1      542    re1  1119
    x.x.x.160/27              link#4            UC          0        0    vr0
    x.x.x.161                  link#4            UHLW        2    2923    vr0
    x.x.x.162                      x.x.x.162    UH          0        0  carp0
    x.x.x.163                      x.x.x.163    UH          0        0  carp1
    x.x.x.164                      x.x.x.164    UH          0        0  carp2
    x.x.x.165                      x.x.x.165    UH          0        0  carp3

    is there another way to solve this,
    coz I'm planing to have some more IPs from the other isp?
    thanks


Log in to reply