I have a few pfSense boxes connected to the same network. They each have an Internet connection on the WAN interface, one or more local subnets reachable on the LAN interface, and some of them have a connection to the rest of our network on the OPT1 interface.
We need to treat the traffic on OPT1 as a LAN interface most of the time. In other words, we take traffic comming in on OPT1 and NAT it out to the Internet. But, if the WAN interface goes down, we need to use the OPT1 interface to get to the Internet in another town. The whole network is OSPF. So I can probably get all traffic to fail to the next best default route advertised to us via the OPT1 interface. I haven't found the magic for dropping the configured default yet, but I suspect it will be doable. The problem is that we have some hosts that need to be able to use their public IP address at all times, but are in locations where their traffic will have to transit the OPT1 interface to get to the pfSense box which handles the Internet connection which is allowed to source that traffic. But, the default route on the router at their location will try to send the traffic out it's NATed Internet connection without some policy routing. Is there a way in the GUI to configure policy routing for 10.240.44.0/22's traffic to be sent over the OPT1 toward the correct pfSense box without having a gateway specified on the OPT1 interface? My firewall rules on LAN and OPT1 consist of "permit any to any". I have AON rules which NAT all of our subnets out the WAN interface for every pfSense box, unless the box is permitted to source traffic from one of our public subnets. Do I just need to treat OPT1 as a WAN interface? As an additional wrinkle, it could be that the best path to the correct Internet connected box may be on the LAN. I suspect I may have to fall back to trying out the bsdrp or similar, but would like to keep pfSense if possible so I can go on vacation eventually. -- Scott Lambert KC5MLE Unix SysAdmin [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
