Very strange dual wan behavior–>policy based routing not working

  • hi,
    this is my first post here,
    please be patient.

    My setup is as folows:
    WAN x.x.x.190/27
    WAN2 x.x.16.177/16
    I configured my pfsense following this howto,
    -added CARP VIPs on my first wan
    -created 1:1 NAT for my ips
    -created a rule on the LAN so all of my servers leaves on the correct gateway

    All works fine except that I can not connect to my services from any IP from the second WAN.
    I can se request reaching my servers with tcpdump and on the firewall log
    then enter the pfsense box (still tcpdump), but they does not leave the box. I can see all other packets leaving in the firewall logs but can not see those.

    Thanks for helping

  • i solved my problem putting a router befor my wan2 nic.
    the problem seems policy based routing and the routing table

    even if i have a rule in my lan tab on the firewall,
    Proto  Source  Port  Destination  Port  Gateway
    *        Notranji  *      *              *    x.x.x.161      (Notranji is an alias for all my servers internal ips)

    all the traffic that should go to isp2 is not routed by this policy but according to the routing table,
    here is mine before putting the router inforont of WAN2 nic

    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default                    x.x.x.161    UGS        0      165    vr0
    x.x/16                link#1            UC          0        0    rl0        <–here all my trafic is routed to the WAN2 gateway but according to my LAN rule it
    x.x.0.1        00:90:1a:a0:14:01  UHLW        1    1533    rl0    121                                        should go to WAN1 gateway
    localhost          localhost          UH          0        0    lo0
    192.168.0          link#2            UC          0        0    re0        00:01:6c:af:04:ed  UHLW        1      508    re0  1162      00:17:08:37:a1:f3  UHLW        1    23638    re0  1176      00:19:db:c8:68:a9  UHLW        1    7108    re0  1123      00:18:8b:7e:e7:a3  UHLW        1    10306    re0  1199      00:19:db:d5:aa:15  UHLW        1  375631    re0    898      00:1d:92:01:f4:f7  UHLW        1    2617    re0    932      00:01:6c:3c:fd:12  UHLW        1      803    re0  1176      00:0f:fe:3f:02:5c  UHLW        1    7580    re0    955      00:13:d3:d6:55:bb  UHLW        1    19875    re0  1195
    192.168.1          link#3            UC          0        0    re1        00:14:2a:2b:0b:cb  UHLW        1    4439    re1    949        00:11:5b:ef:6e:6f  UHLW        1    9650    re1    969      00:12:a9:56:1a:76  UHLW        1    3830    re1  1134      00:13:e8:75:3c:79  UHLW        1    6254    re1  1196      00:16:ce:20:10:44  UHLW        1    24456    re1  1101      00:18:de:0f:9c:1c  UHLW        1      542    re1  1119
    x.x.x.160/27              link#4            UC          0        0    vr0
    x.x.x.161                  link#4            UHLW        2    2923    vr0
    x.x.x.162                      x.x.x.162    UH          0        0  carp0
    x.x.x.163                      x.x.x.163    UH          0        0  carp1
    x.x.x.164                      x.x.x.164    UH          0        0  carp2
    x.x.x.165                      x.x.x.165    UH          0        0  carp3

    is there another way to solve this,
    coz I'm planing to have some more IPs from the other isp?

Log in to reply