Adv. Outbound NAT with Dual WAN (No Loadbalance) and Multiple VLAN?
-
Hi All,
I'm currently running Pfsense: 1.2-BETA-1 built on Mon Apr 30 10:47:18 EDT 2007.
I have 4 NIC in my Pfsense box.
[] WAN
[] LAN
[] OPT1 (DMZ)
[] OPT2 (WAN2) – Not working yet..I have 9 VLANS running off the LAN interface - I use pfsense for routing.
All VLANS etc are running perfectly.
I want add an additional WAN connection (WAN2), I have an ADSL modem/router which is setup.
I have setup the WAN2 interface etc as per documentation/tutorial: "setting up policybased routing with multiple WAN-links (PDF)"I have a windows sharepoint server setup on VLAN_900.
I want the traffic from this VLAN to route traffic outbound through my WAN2 link as it has a much greater upload speed.I'm pretty sure I understand all of the documentation, however I can't find much about 'advanced outbound nat'.
When I tick the 'Enable Advanced Outbound NAT' option, it creates a rule ONLY for the LAN interface.
------------------------------------------------------------------------------------------------------------------------------------------------ Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description ------------------------------------------------------------------------------------------------------------------------------------------------ WAN 192.168.144.0/24 * * * * * NO auto created rule for LAN ------------------------------------------------------------------------------------------------------------------------------------------------I'm pretty sure I need to create a 'copy' of this rule for all of my interfaces/VLANS and to specify that I want all traffic from VLAN_900 to route out via WAN2..?
ie
------------------------------------------------------------------------------------------------------------------------------------------------ Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description ------------------------------------------------------------------------------------------------------------------------------------------------ WAN 172.16.0.0/22 * * * * * NO auto created rule for LAN WAN VLAN_100 IP/22 * * * * * NO NAT VLAN_100 -> Def. GW WAN VLAN_200 IP/22 * * * * * NO NAT VLAN_200 -> Def. GW . . WAN VLAN_800 IP/22 * * * * * NO NAT VLAN_800 -> Def. GW WAN2 VLAN_900 IP/22 * * * * * NO NAT VLAN_900 -> WAN2 GW WAN DMZ_IP/22 * * * * * NO NAT DMZ_IP -> Def. GW ------------------------------------------------------------------------------------------------------------------------------------------------Can anyone pls confirm that this is correct?? OR which advanced outbound nat rules I need to create?
CHEERS!
NB: In my DMZ I have a reverse proxy. Do I need to add additional rules for this to work??
-
Hi All,
Well I implemented the above rules and it worked without drama.
BUT:
–--External (WAN IP)-->Internal Webserver (VLAN_900)-->External -- still are not utilising the WAN2 link.
Internal VLAN_900-->External utilises the WAN2.
I'm not sure how to change this?? (ie. Have External inbound connections on WAN and then return/upload data on WAN2)..?
Whether this is even at all possible..?
Any ideas..?
Cheers.
-
Look at the Load balancing / multi wan document @ doc.pfsense.com
hint, you define the gateway in the LAN firewall rules.
-
Hi Scott,
Appreciate the reply. I've read the doc (perhaps too many times - so I might be missing something obvious??)
::::::::: An Aside::::::::::::::::::::::::::::::::::::::::::::::::
I'm not after load balancing, or failover (at this stage).
I have my primary WAN link, which has 5 static IP addresses.
I have my (brand new) secondary link which only has 1 static IP.One of the internal businesses hosts a (publicly accessible) sharepoint webserver, with multiple client sites.
Because I don't control the DNS records for their client sites (multiple, multiple clients maintain their own DNS records/updates etc) I am looking to have the secondary WAN link connected, such that incoming (external) webserver requests come in on the existing static IP and are serviced on the WAN2 link (– it has a much much faster 'upload' speed).
Once this is working the next thing I wish to do is to get the clients to update their DNS records to point to the 'new' static IP.
Once this transition has occured, i'll actually move this internet connection to its own pfsense install and seperate it from 'my network'.Hope this makes sense?
:::::::::::::::End Aside:::::::::::::::::::::::::::::::::::::::::::::::I have policy based routing working fine - ie. if I hook up a workstation/laptop on my VLAN_900, all inbound and outbound requests go through the WAN2 link. (eg. accessing the internet from the webserver does this too).
The bit that is confusing me (which I admittedly don't understand that well) is that when an external client wants to connect to the sharepoint webserver, it is not utilising the WAN2 link whatsoever.
Everything I have read is for 'load balancing'/routing internal requests, but because this is a webserver and the requests originate externally, I have no idea where/how to force the connection to use the WAN2 link...?ie.
::::::::::::::::::::: Slightly convoluted Example ::::::::::::::::::::::::::::::::
External Client (has IP of 202.12.45.89) wants to connect to the sharepoint website "sharepoint.clakeywebsite.com.au" (has IP of 280.34.56.12).
sharepoint.clakeywebsite.com.au is sitting on internal (VLAN_900) network and has IP: 172.16.36.50.1. Client connects on random port from 202.12.45.89 to port 80 on sharepoint.clakeywebsite.com.au (280.34.56.12)
2. Pfsense NATs all incoming port 80 on 280.34.56.12 to port 80 on internal IP 172.16.36.50
3. Webserver receives request and processes it.
4. Page is served to client on WAN link. (Not WAN2)-- As stated I would like the page 'served' over the WAN2 link.
I would assume that it is all working except that i am missing a step '3a' in which traffic is routed back via WAN2.
I have a 'policy based routing' rule on the VLAN_900 interface:Proto Source Port Destination Port Gateway Schedule Description * * * * * 192.168.100.1 Policy Route VLAN_900->WAN2I have an advanced outbound NAT rule:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description WAN2 172.16.36.0/22 * * * * * NO NAT VLAN_900->WAN2NB:
192.168.100.1 is the IP address of my WAN2 modem router.
172.16.36.0/22 is my network and subnet addresses for VLAN_900 (where sharepoint webserver resides – it is only machine/IP on VLAN_900)??HELP??
::::::::::::::::::::: End Slightly convoluted Example :::::::::::::::::::::::::::
Apologies that this is so long winded, but the more I try and explain it, the more convoluted the explanation becomes.
Cheers.
-
Forcing external to internal connections should be done via DNS?
-
trafic that came from the internet on wan1 you can't send back true wan2
if you do then youre ipadres of the wan chanches and so will be refust by the pc that conected you from wan1trafic has always to come back from the same wan and session to be able to pass a remote firewall
-
Hi sullrich & jeroen234,
Appreciate the replies.
trafic that came from the internet on wan1 you can't send back true wan2
if you do then youre ipadres of the wan chanches and so will be refust by the pc that conected you from wan1trafic has always to come back from the same wan and session to be able to pass a remote firewall
This is the conclusion I had reached but was hoping that I was wrong.
Next stop 'plan b'…
Forcing external to internal connections should be done via DNS?
I'm assuming that you mean that i need to update the DNS records such that the original request 'sharepoint.clakeywebsite.com.au' resolves to the IP address of the WAN2 link which I wish to serve the pages on? This is the plan b.. ;D
CHEERS FELLAS - TOP PRODUCT SCOTT AND EVERYONE ELSE WHOM CONTRIBUTES TO ITS SUCCESS!
- Lakey.
-
DNS is definitely the way to go, just get you name to resolve to WAN2 and then route the necessary port in.