Netgate SG-1000 microFirewall

Author Topic: make host go out specific WAN interface  (Read 627 times)

0 Members and 1 Guest are viewing this topic.

Offline robina80

  • Full Member
  • ***
  • Posts: 240
  • Karma: +2/-0
    • View Profile
make host go out specific WAN interface
« on: January 04, 2018, 04:10:58 pm »
hi all,

i have a pfsense firewall and i have two (x2) WAN addresses and atm all my traffic going out is coming from my WAN1

if i want to make a single host go out WAN2

is this possible

many thanks,

rob

Offline GoldFish

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +2/-0
    • View Profile
Re: make host go out specific WAN interface
« Reply #1 on: January 04, 2018, 04:29:21 pm »
I will try to answer this. Experts : Correct me if i am wrong

You can setup a rule on LAN interface
Within the rule, Under Source, select "Single Host or alias", Define the ip address of the machine which should go out through WAN2
Next under Extra Options, click on "Display Advanced", Scroll down to "Gateway" and choose the one for WAN2

Just ensure the rules are in correct order else this source will hit the default LAN rule first and follow the regular path
« Last Edit: January 04, 2018, 04:36:49 pm by GoldFish »
* pfSense Enthusiast *

Offline robina80

  • Full Member
  • ***
  • Posts: 240
  • Karma: +2/-0
    • View Profile
Re: make host go out specific WAN interface
« Reply #2 on: January 04, 2018, 05:02:12 pm »
so i dont need to do it under "Firewall > NAT > Outbound" just make a simple rule under "Firewall > Rules"

i just want this host to use WAN2 for traffic in/out

and all other traffic to use WAN1 in/out

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: make host go out specific WAN interface
« Reply #3 on: January 04, 2018, 05:28:23 pm »
As long as the source address is already covered in the normal outbound NAT rules on that WAN interface you are good.

Outbound NAT only determines what NAT takes place. It has no bearing on what gets routed where.

Policy route your source address with the desired gateway set (or no gateway if the default route is what you need) above any more general rules that would also match the traffic. The rules would be on "LAN"
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline robina80

  • Full Member
  • ***
  • Posts: 240
  • Karma: +2/-0
    • View Profile
Re: make host go out specific WAN interface
« Reply #4 on: January 05, 2018, 12:51:39 am »
This is exactly what im after

https://forum.pfsense.org/index.php?topic=106305.0

I still really dont get what outband nat is as i thought it was exactly for this to make a host or network go out a different gateway or wan interface

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: make host go out specific WAN interface
« Reply #5 on: January 05, 2018, 12:55:30 pm »
Outbound NAT has no effect on routing.

It controls what NAT takes place when a new connection goes out a particular interface.

Most simple networks can use Automatic NAT.

Common uses for custom rules are for things like SIP PBXes that need static ports (if the source port from the PBX is 5060, if needs to be sourced from 5060 out the WAN interface (after NAT) too).

It can be used if you have multiple WAN addresses. (If the connection is to destination TCP/25, set the source address to X.X.X.X, else use X.X.X.Y)

If you have internal networks with public addresses that are routed to you, you might use a Do Not NAT rule for those source addresses so no NAT happens at all.

In any case, the routing table or policy routing has already chosen that WAN as the interface to use for the connection. The outbound NAT rules have zero influence over that decision.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline robina80

  • Full Member
  • ***
  • Posts: 240
  • Karma: +2/-0
    • View Profile
Re: make host go out specific WAN interface
« Reply #6 on: January 05, 2018, 03:22:18 pm »
ok so below point 9 is what your saying "policy based route" so make that host use the WAN 2 gateway instead of the default one ie WAN1

but why has he done point 8?

thanks,

rob


08-configure-outbound-nat

There's a new(ish) hybrid mode for outbound NAT which makes this pretty easy.  Add the two rules shown in the screenshots and then set the Mode to Hybrid Outbound NAT.  I use the entire LAN subnet as the source address for these entries, but it could also be limited to the network block chosen for vpnclients (192.168.1.128/27).  I use the entire LAN subnet so I don't have to worry about updating outbound NAT rules if I want to change the vpnclients alias.

09-create-lan-firewall-rules

Add a rule to block vpnclients from making DNS queries to the LAN IP.  This prevents vpnclients from using the DNS Resolver and prevents DNS leaks if you forget to override DNS settings when adding static DHCP mappings for vpnclients.

Add a rule that creates a policy based route for vpnclients.  Traffic that matches the rule will be sent via the VPN (ex:TORGUARD) gateway.  Traffic that doesn't match will fall through to the default LAN rule.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: make host go out specific WAN interface
« Reply #7 on: January 05, 2018, 04:22:17 pm »
I have no idea. Because he doesn't understand either?

The Automatic NAT rules show you what source addresses the firewall has determined should be NATted. If your source network is included, you need not do anything. If it is not you can switch to hybrid (or manual) and add it.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline robina80

  • Full Member
  • ***
  • Posts: 240
  • Karma: +2/-0
    • View Profile
Re: make host go out specific WAN interface
« Reply #8 on: January 05, 2018, 04:53:32 pm »
the last step i need help with is point 10 (below)  the "no_wan_egress" i imagine this is an alias to some networks?

10-create-floating-firewall-rules

Create a floating rule that watches for and rejects outbound WAN traffic that's marked NO_WAN_EGRESS.  This prevents vpnclients from connecting to the internet via the WAN when the VPN interface goes down.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline robina80

  • Full Member
  • ***
  • Posts: 240
  • Karma: +2/-0
    • View Profile
Re: make host go out specific WAN interface
« Reply #10 on: January 05, 2018, 08:13:00 pm »
thanks Derelict

Offline robina80

  • Full Member
  • ***
  • Posts: 240
  • Karma: +2/-0
    • View Profile
Re: make host go out specific WAN interface
« Reply #11 on: January 10, 2018, 02:18:09 pm »
mmm... somethings not right

i attach a picture of my rules and floating rules -

https://s18.postimg.org/fxir0ko49/rules.png

basically my "internal network" is 10.100.1.0/24

my "VPNclient" is 10.100.1.10 so it falls within the internal network subnet, i dont know if that matters

my DHCP server is from the range of 10.100.1.50-10.100.1.200 so my vpnclient alias IP is not in the scope

as soon as i change my pc NIC to 10.100.1.10 i loose internet

any help would be great, i persume im doing something really stupid!

cheers,

rob
« Last Edit: January 10, 2018, 02:22:49 pm by robina80 »

Offline robina80

  • Full Member
  • ***
  • Posts: 240
  • Karma: +2/-0
    • View Profile
Re: make host go out specific WAN interface
« Reply #12 on: January 12, 2018, 05:35:37 pm »
ok i have added a new network on my switch "172.17.2.0/24" and i have made my pc "172.17.2.1"

i have added a new static route on pfsense so the to can talk to eachother ie pfsense and my switch

i have network access fine ie i can talk to other subnets but i still get no internet activity

can anyone help please

thanks

rob

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10257
  • Karma: +1176/-313
    • View Profile
Re: make host go out specific WAN interface
« Reply #13 on: January 12, 2018, 05:44:46 pm »
Static route? Why a static route?

You are going to have to produce a diagram. See the one in my sig for the type of info necessary.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline robina80

  • Full Member
  • ***
  • Posts: 240
  • Karma: +2/-0
    • View Profile
Re: make host go out specific WAN interface
« Reply #14 on: January 12, 2018, 06:14:13 pm »
i attach a better betwork diagram of my static routes to my switch and pfsense

https://s18.postimg.org/v2d0so15l/my_network.png

yeah i have static routes set up to route traffic from my default network on my pfsense to all my other networks on my switch

i attach a picture so you have more of a understanding on my network

https://s18.postimg.org/nz8tnpn4p/route.png

my pfsense ip is "10.100.1.254" and switch on the same network is "10.100.1.253" and it carrys static routes down it so my devices connected to my switch on different subnets can see the network and the internet

on my pc i have made my default gateway the VPN network switch IP "172.17.2.253"
« Last Edit: January 14, 2018, 06:24:59 am by robina80 »