Hybrid NAT rules not working on multi-wan multi-wan seup

cody5679

I’m trying to create a rule while LAN1 uses WAN1 and LAN2 uses WAN2. I’ve enabled hybrid mode and created both rules but they won’t take effect. All traffic remains routed through WAN2 which is the tier 1 connection on the gateway LB group.

viragomann

@cody5679
Outbound NAT rules do what their name implies.They translate IP addresses of packets, when they are going out.
But they don't force a traffic out to a certain interface. You need policy-routing rules to achieve this along with outbound NAT rules.

cody5679

Hello, is this a change in 2.8? I’ve always been able to Setup a nat rule to force specific traffic sources, either an IP, interface or subnet, out that a set wan interface with that interfaces wan IP.

viragomann

@cody5679
I've used pfSense since version 1.2.3, but cannot remember that an outbound NAT rule ever affected the routing.

cody5679

@viragomann nat is translating a private ip to a public interface for routing. So a nat rule would define what wan interface traffic should route through. Happy to show you multiple working setups across dozens of sites.

viragomann

@cody5679
Again, a NAT rule does not route traffic.

You can translate the source address to any you want with an outbound NAT rule. This doesn't affect any routing.
However, response traffic will not come back if the translation address is not assigned to your interface.

@cody5679 said in Hybrid NAT rules not working on multi-wan multi-wan seup:

I’m trying to create a rule while LAN1 uses WAN1 and LAN2 uses WAN2. I’ve enabled hybrid mode and created both rules but they won’t take effect. All traffic remains routed through WAN2 which is the tier 1 connection on the gateway LB group.

Run a packet capture on WAN2 and you will see, that the packets go out with WAN2 address, which is correct and necessary to get responses back.
Then add an outbound NAT rule to WAN2 and translate any source to WAN1 IP. Put this rule to the top.
In the capture on WAN2 you will see the packets going out with WAN1 IP as source, but you will not be able to access anything in the internet.

Add a policy-routing rule with the desired gateway to route traffic out to the non-default gateway.

cody5679

Where would I find the policy routing rule you're talking about?

cody5679

Never mind, I figured it out via the firewall rules.