MUTLI WAN & NAT ??? [SOLVED - Reply#10]
-
Hi , So I think I may be missing something simple.. but right now I am not sure..
I have 2 WAN Connections, Setup with PFSense 2.0.2 , MultiGW Works great, Multi Lan LB Works great.. Everything .. Just Great.. until it comes to NAT
I can get main WAN connection to port fwd on any port and I can reach from the cloud no problem..
I have NAT on my second WAN connection setup and it for the life of me wont work.. I cant hit it from the cloud.. I have tried using different ports
So I have tried say to open port 80 for WAN 1 and WAN 2 , Only can reach WAN1.
Open Port 9090 on WAN1 and port 80 on WAN 2 , Only can reach WAN1.
I have tried putting the WAN2 Rules before WAN1 also , nothing….
If I have WAN1 and WAN 2 open on port 80 and then pull WAN1 modem power ( Causing a fail-over ) it works great, all traffic leaves WAN2 no timeouts during the fail-over...BUT Still absolutely unable to open any port... some help please ! :) ???
-
? Anyone have any thoughts? Anything would be of help..
-
You are not alone, same here :(
I can tell you what the problem is, but not how to solve it ;/
You try to connect through WAN2 on Port 80 (exampel), the traffic goes to your Lan-PC listen on Port 80. The PC answers to PFsense and PFsense send the answer on WAN1 ;/
Your Device dont recognize that, because it comes from another IP;/
There is a problem (or iam braindead) with the reply-to rules. Pfsense dont reminder itself where Traffic actually comes from. ;/
Dirty Fix around is to make a rule on the LAN interface which redirects the Port80 Traffic to WAN2. The Problem here is, that u cant reach Port 80 over WAN1 now.!IAM SEARCHING FOR AN ANSWER TOO! :'( :'( :'( :'( :'(
-
Some screenshots would be nice. ( NAT / LAN / WAN / Outbound NAT )
-
Ok will get you some screenshots ,np.
Ok so I have just tried
(WAN)
SERVER 1 (Port80) –-------------> --------------> WAN1
SWITCH -----------> PFSENSE
SERVER 2 (Port22) ---------------> --------------> WAN2
(OPT1)what I tried in my first post was
(WAN)
SERVER 1 (Port80) ---------------> --------------> WAN1
SWITCH -----------> PFSENSE
SERVER 1 (Port80) ---------------> --------------> WAN2
(OPT1)ALSO
(WAN)
SERVER 1 (Port80) ---------------> --------------> WAN1
SWITCH -----------> PFSENSE
SERVER 1 (Port22) ---------------> --------------> WAN2
(OPT1)What I have noticed , I think it's a problem wit NAT on the OPT1 interface... It doesn't matter if I use the same LAN IP or a differnet one, the port wont open on the OPT1 interface...and yes I have the services running ;)
-
right now I have my Firewall: NAT: Outbound to:
Automatic outbound NAT rule generation
(IPsec passthrough included)
and there are 4 DNS servers there, I just removed 3 of them for the screenshot.
-
So I have gone out and purchased another NIC so now I have tried
LAN2 .167 (port22) .167
–-------------> --------> ------------->WAN
SERVER 1 SWITCH PFSENSE
---------------> --------> ------------->WAN2 (OPT1)
LAN1 .168 (port80) .168So I have done that above , 2 complete separate NIC cards for 2 different LAN segments and have even set the gateways separate LAN1 gets WAN GW , LAN2 gets WAN2 GW
The port still wont open?!?
here is my firewall logs when I try to check the port from say http://www.yougetsignal.com/tools/open-ports/
-
Ok so I have done the exact same setup as above . I am not sure why I didn't come to be before.. I clicked the Act of the blocked rule of port 22, there was a 1 scrub on all fragment reassemble block and a block all.. I used the easy rule pass and i disabled scrub and I am not getting firewall block logs for port 22 now when I check to see if it is open.. ( the port still shows closed when I check it ) when I check say port 9191 that is open on WAN1 and not WAN2 , I get the block rule and thats perfect, if i check the port against WAN1 , its open and all is fine.
On my default route page how can I change the default route gateway to the MultiWAN group I have made, Right now it it set for the WAN gateway only…even thou LAN traffic is LB via multiWAN gw rule on LAN... I'm a little confused now..
-
OK! So I have " Fixed " it.. The issue was just as I figured in my last post.. on the Diagnostics: Routing tables page, The Default route was the " WAN PORT" IP.. I changed my default gateway to my OPT1 Interface and now the default route ip shows the OPT1 IP. Now I am able to reach any port I open from both WAN and OPT1 Ip's …. This is clearly a bug in PFSense, There should be a way to change the default route to a gateway group..this would solve the problem I think.. :) Well my issue is solved correct workaround or not... it's a fix for now..
-
When i change the default gateway to OPT1, then everything i opend on WAN1 dont work anymore…
-
Hey Marv, Here is my full config. I even have ICMP setup on this just so you can check from an external source if ur even able to ping the ip. It's all working very well for me now. nslookup on the domain resolves both ip's and load balancing is working great.
a link to the image for full size
http://m37offroading.ca/fullconfig.png -
Thanks for ur Time.
But i doesnt work for me ;/
I have no floating rules…The Rule is linked?? Yours not, what is this?
My Pfsense Version is 2.0.2-Release i386
I just want to have access to 8059 from the outside, over the FritzboxWAN ;(
Without Failover and only Fritzbox connectet it works fine ;( -
If i Set the Fritzbox Wan to default it works, but then every Portforwarding on the Unitymedia WAN is unable to reach :/
-
If I do this it works, with default on WAN…(pic)
I cant forward ports on WAN, i can do verthing, it never works...
Iam freaking out :D
-
Well I see a couple things wrong,
your Gateway group, Set both to Tier 1,
For the Firewall: NAT: Port Forward Page, On the configuration of the port 8059 go the the Filter rule association and make that None, Also NAT Refection , Enabled ( if you want to be able to access it from internal also)
Firewall: Rules, See mine above, See how I have rules in ever NIC and a Floating DNS failover rule, Include all these rules.
Leave your gateways leave as no default as it is in the screenshot.
This should work, I have successfully re-installed 2.0.1 -> upgraded to 2.0.2 and did my rules again and it all works perfect with no trouble. If you need more help PM me your email and we can get you up and working.
The Fix is above thou , that works and tested twice on 2 installs. :)
-
okay, thank you.
I will try this tommorow.
Ist just Failover not LoadBalancing, so Tier 1 and 2 is correct , or? -
No that is not correct, Please marv, follow my screenshots very carefully and match everything the same as your config. It will work ! :)
-
Ty for your Time, but I have to say that you are wrong ;/
Both on Tier1 is LoadBalancing, i got then two IP, when i checked my Ip in the internet.
I installed Pfsene again with CD now (therefore i did this over memstick.img).
Now it works, why ever oO ::)
The only things i did after the newinstall was. Setting the Gateways on Tier 1 &2, named it Failover, Add a (one) Nat-Rule- with assiocated Firewallrule. And add in the "lan to any" rule, the Failover Gateway.Works.
But thank you for help so far
-
OK! So I have " Fixed " it.. The issue was just as I figured in my last post.. on the Diagnostics: Routing tables page, The Default route was the " WAN PORT" IP.. I changed my default gateway to my OPT1 Interface and now the default route ip shows the OPT1 IP. Now I am able to reach any port I open from both WAN and OPT1 Ip's …. This is clearly a bug in PFSense, There should be a way to change the default route to a gateway group..this would solve the problem I think.. :) Well my issue is solved correct workaround or not... it's a fix for now..
Ok I figured out, what is different to my others installations, i swapped the WAN Interface in this Installation.
If the 2WAN is the one with the higher priority in the Gateway Group all is ok, is the first WAN-Interface with higher Prioty nothing works anymore.
Thats truly a bug. -
Marv! I am glad you figured it out… This is very much a bug and I have noticed the same thing... I was not 100% Sure that was what was fixing it the first time I got it working.. Doing that the second time It did not work..then I got my config that I have posted in reply 10 and it works great, with a re-install.. I just tried it AGAIN after you said this because I know for a FACT I had to do the same exact thing.