Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Interface Group on multiple WANs - NAT not working?

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      drees
      last edited by

      I've got a fairly typical multi-WAN setup on pfSense 2.0.1 with one primary WAN and a secondary WAN port.

      Inbound access to servers is the same across both WAN ports so what I've been doing is duplicating rules across both interfaces.

      Then I saw the Interface Groups tab and thought - nice! now I can add my two WAN ports to the Interface Group and then only have to worry about a single page of firewall rules unless I want a specific rule for one of the two WAN ports.

      So I created an Interface Group with both WAN ports and proceeded to copy a rule over, leaving my two existing WAN interface rulesets intact.

      But what I found is that this killed inbound connections on my secondary WAN port to a NATted host.  Removing that WAN port from the interface group allowed things to continue working.

      Looking in /tmp/rules.debug I rules in this order:

      WAN rules, LAN rules, WAN-group rules, then OPT1 rules (OPT1 is my other WAN connection).

      Looking at the difference between the WAN-group rules and WAN/OPT1 rules it is missing "reply to ( <interface><interface-ip>)" from the rules.

      I assume that this is the problem here - I'm guessing that the connection reply isn't going out the right interface.

      Any ideas?  Should this work?  Am I doing something wrong or missing something?</interface-ip></interface>

      1 Reply Last reply Reply Quote 0
      • A Offline
        anatolidt
        last edited by

        sorry, mixed routing groups with if-groups. are if-groups considered useful for multi-wan?

        I would say you did this quite right assigning incoming rules to each wan interface. Also don't forget to assign nat rules for each wan also. At least this is the way described in the book for pfsense 1.2. But maybe I missunderstand the concept of if-groups since choosing a group as outgoing gateway totally breaks my firewall-rules and allows every traffic on that interface. Did not get a reply on this topic though.

        1 Reply Last reply Reply Quote 0
        • D Offline
          drees
          last edited by

          @anatolidt:

          are if-groups considered useful for multi-wan?

          They're obviously useful for something - but it appears that it may not be useful for NAT related rules…

          1 Reply Last reply Reply Quote 0
          • C Offline
            cmb
            last edited by

            WAN rules require reply-to in many circumstances for correct return routing, and that cannot be done on interface groups, it's only done on rules assigned to that particular WAN.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.