Dual wan + advanced nat + port forwarding
-
Hello!
first of all sorry for my ugly english. here is my problem:
couldn't find on this forum exactly my situation. 2 wan / 1 lan, advanced otbound nat through each wan interface for my lan, port forwarding for my mail server. at this moment all outgoing traffic goes through default wan except some networks like 87.103.240.0/20, that are accessible through opt1 (wan2) interface. from my network everything is ok, but any connections, that are made from network on the 2nd wan interface to my first wan interface are couldn't be established. what is the reason?
i can describe my network more precisely, if its needed… thank you. -
Why do you want to route incoming at your 2nd WAN out to your 1st WAN? Routing from Internet to Internet? There are default firewallrules blocking traffic of that kind. Maybe I don't get exactly what you are trying to do but atm this setup doesn't make sense to me. Please explain more in detail and describe what you want to achieve with this setup.
-
hoba:
some services, like http or smtp, are published only on first wan interface and are accessible from the entire internet. some users form the networks, to wich i have a static routes through the second interface, wants to access ip of the first wan, to access my server.
-
Should be doable with appropriate advanced outbound nat rules and firewallrules but it's not too easy and too abstract to discuss without details. You should try to understand how outbound NAT works and figure it out yourself.
-
hoba: i'm not a dummy :) i understand that it is not so easy. when packets are coming from first interface, why their replies goes through the second interface? i need something like source routing?
-
Normally the state that was generated on establishing the connection should keep track of where the answer should be send. This might not work for active connections like ftp as these connections don't belong to the same state.
-
ok, so i have some misconfiguration, yep? may i show you my config file?
-
This would need discussing your whole network, IP-Adresses, ranges,…describing in detail how it should work and what exactly you want to do. I think this is beyond the scope of this forum.
Set it up simple first, step by step, not starting with the full implementation. This should help you find what is wrong. Also have a look at the states that your forwards create (either at the webgui or even better at the shell running pftop in realtime).
-
i have very simple network configuration. one primary wan, on wich i publishing my postal services, and one back-up wan, that also connects me directly to domestic adsl-provider, wich brings the leased lines to my branch offices. loadbalance (the way it's implemeted now) isn't working for me. here in russia we still pay for incoming traffic 5-10cc per megabyte, so we have to choose wich line to use mostly, and wich only for failover. i am really waiting for the 1.1 version of pfsense.
-
You will be waiting for quite a while considering 1.0 is not even out yet.
-
i'll be a beta tester for failover (not carp) function, if it's possible. thinking on the ways i can support your project, here in russia, siberia, or just at the novosibirsk city.
anybody can solve my problem, that i described before,
for some money? i forgot i have only roubles. i would try to reconfigure my installation by myself, but i think i didn't made any mistakes there… -
hoba: while i have static route to 87.103.240.0/20 through the second wan interface, there is no way to connect from this network (87.103.240.0/20) to the first wan iterface ip-address. once i delete the static route - everything is allright, but how to route my lan's traffic, that is more suitable to be routed trough the second interface? oh-oh…
-
You don't need routes for directly connected subnets of the pfSense. Just create a pass firewallrule for traffic with destination this subnet with the gateway set to this WAN.