Hi WebDawg. Thanks for the reply. I have been looking at these floating rules, but might have gotten something wrong.
I have a floating rule which says: Proto TCP IPv4, source and port are *, destination BBC (alias to their ip block) port is * gateway is my UK VPN server, queue none, schedule none. If I tell my open VPN client to not use the routing, BBC wont work... If I do, then all my traffic looks like its coming from the UK (BBC and others) but all traffic is not flowing out though the VPN... Im a little confused to this... In the mail below I ask: > I think thats all the major issues i have... I think (but could be > wrong) i have the second one working, but i would like to know if > there is a better way of doing it then as follows: > > Firewall, Rules, LAN and i have a connection that says Dest is <IP > block>, dest port *, source is LAN Net, source IP is *, gateway is > <upstream i want to send to>. And you answer: > Seems right, your are going to need floating for the other gateway direction. How do you mean by this? Thanks again. --Tiernan -----Original Message----- From: List [mailto:[email protected]] On Behalf Of WebDawg Sent: Tuesday 10 February 2015 16:25 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Migrating from RouterOS to PFSense On Tue, Feb 10, 2015 at 1:41 AM, Tiernan OToole <[email protected]> wrote: > Good morning all. > > For the year or so, i have been running Microtik Router OS on either > their own hardware or my own hardware, and all has mostly been good, > bar the fact the OS wont see more than 2Gb of ram and my machine has 8... > > Anyway, i decided to install PFsense 2.2 on a new hard drive and > plugged in into my existing hardware, but now i have some questions > about getting this fully working the same way it worked on RouterOS. > > First, some background. The machine in question is an old HP Proliant > ML110 > G5 server with an Intel Core2Quad, 8Gb ram, i think its a 500Gb hdd > (just grabbed the first one i could fix) and a mix of network cards > giving a total of 12 GigE connections. There are 3 WAN connections (2 > Cable modems at > 200/20 and a VDSL at 100/20, closer to 70ish.) The cable modems give > out public IPs (they are in Bridged mode) and the machine gets an IP via DHCP. > The VDSL is PPPoE. > > I have managed to get a somewhat basic load balancing setup working, > and it does seem to work grand. Speedtest.net, which now seems to be > multithreaded, is giving me download speeds of anywhere from 420 - 480mb/s. > > Now, the real question: > > In RouterOS i could do the following: > > Any incoming traffic (from the LAN) from a given IP address, could be > routed though a given upstream connection, be that a specific WAN > connection or a VPN connection. You should be able to do this with firewall rules and specifying gateways. *https://doc.pfsense.org/index.php/Multi-WAN#Overview > Any Incoming traffic (from the LAN) to a given IP address or network > (for example BBC) could be routed though a given upstream provider, > again WAN or VPN I think you would need to use floating rules for this. Firewall rules on Interface and Group tabs process traffic in the Inbound direction and are processed from the top down, stopping at the first match. Where no user-configured firewall rules match, traffic is denied. Only what is explicitly allowed via firewall rules will be passed. *https://doc.pfsense.org/index.php/Firewall_Rule_Basics Floating Rules are advanced Firewall Rules which can apply in any direction and to any or multiple interfaces. Floating Rules are defined under Firewall > Rules on the Floating tab. *https://doc.pfsense.org/index.php/What_are_Floating_Rules > All incoming requests that come from a particular WAN connection (eg, > web web request on port 80) will return over that connection, so > traffic requested on port 80 on WAN 1 will be returned to the client on WAN1. > Would this not just be NAT in general? https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense I guess I could see how things may get mixed depending on your configuration. > I think thats all the major issues i have... I think (but could be > wrong) i have the second one working, but i would like to know if > there is a better way of doing it then as follows: > > Firewall, Rules, LAN and i have a connection that says Dest is <IP > block>, dest port *, source is LAN Net, source IP is *, gateway is > <upstream i want to send to>. Seems right, your are going to need floating for the other gateway direction. > > This is the top option, and at the bottom are the standard allow > everything out connections... It processes rules from top to bottom and when matching one stops. > > Am i doing this right? > > Thanks again! > > --Tiernan > > > > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
