PfSense gateway rules by IP ranges

gatewaynetworkingpfsenserules

I have pfSense (1.2.3) with a WAN (gateway 10.10.20.1/24) and an OPT1 (gateway 10.10.21.1/24). I also have a LAN (static 10.10.12.1/24, DHCP 10.10.12.128-199/24).

I want to create rules so that traffic coming from LAN go through WAN if the source IP address is below 10.10.12.128/24 and through OPT1 otherwise.

I would I go and make that happen?

Thanks!

Solution: I'm filtering on two subnets as proposed by cpbills and I've added rules on the LAN interface that filters all source 10.10.12.128/25 and then uses the gateway of OPT1 and for the rest, then it falls back on the default route that forward all traffic to the WAN gateway.

Best Answer

you could break 10.10.12.0/24 into two subnets, 10.10.12.0/25 and 10.10.12.128/25 and then it would be pretty easy to differentiate in your firewall rules.

but that would probably only add to your workload, unless your hosts are assigned IPs via DHCP.

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

Here's what may be an issue. Imagine you have following network:

address pool: 10.1.1.0/255.255.255.0
router: 10.1.1.1
internal interface on internal vpn server: 10.1.1.2
some external machine that VPNs to network: 10.2.2.2
some internal client machine: 10.1.1.90

When you trying to access SIC from external VPN box, then traffic route goes like this:

10.2.2.2
vpn (internet)
10.1.1.2
10.1.1.90
OK

Seems fine, HOWEVER, in order for traffic to flow, the 10.1.1.90 machine should be able to respond and that means that packets from it must be routable to 10.2.2.2 too. Internal client has obviously ip: 10.1.1.90, mask: 255.255.255.0 and router: 10.1.1.90. Therefore, packets would be routed like this:

10.1.1.90
10.1.1.1 (sine it is router, and 10.2.2.2 is not directly addressable)
internet
NOT FOUND

Basically, reply packets will not even reach VPN. What can you do? Obviously, what will work is to add route to internal client to route all packets to 10.2.2.2 not to VPN box instead of router, such as (Windows box):

route add 10.2.2.0 mask 255.255.255.0 10.1.1.2

this will resolve the problem on single-machine level. Reply packets will go:

10.1.1.90
10.1.1.2 (explicit route)
vpn (internet)
10.2.2.2

To resolve issue on the network level, you must modify router in a same matter to redirect all traffic going to 10.2.2.0 to 10.1.1.2. This way reply packet will go:

10.1.1.90
10.1.1.1
10.1.1.2
vpn (internet)
10.2.2.2

Another solution is: make your VPN box to NAT on 10.1.1.2 interface. This way for internal machines it will look as if all the traffic originates from 10.1.1.2, and replies will go to 10.1.1.2. I would advise to go through routing though, since NAT will require additional resources on VPN box for connection tracker

PfSense with a bridge as a LAN interface : traffic blocked between interfaces

I had exactly the same problem.

After adding firewall rules from the bridge member interfaces to the bridge network it seems to work.

Cheers Cidi

Best Answer

Related Solutions

Openvpn – pfSense Site-toSite VPN with OpenVPN connects but won’t route traffic

PfSense with a bridge as a LAN interface : traffic blocked between interfaces

Related Topic