Traffic blocked even with any/any rules on both interfaces
-
Well if you can not even get to the internet your rules are not going to work… If you say you can not get to the internet from pfsense - how is an outbound route going to come into play?
-
agreed - but how do i figure out what the issue is? With a single WAN interface it works - as soon as i add the 2nd all outgoing traffic fails.
-
The rules you have posted for manual outbound NAT looks wrong. You have multiple subnets using multiple interfaces. Simplify the rules a bit by putting different subnets on different external ip addresses. That is unless you are more worried about inbound. Then 1:1 nat would be advisable with the default outbound for all sinners on only one address.
-
i did just try that and the result is that i still cant get to the internet now from any machines in the subnets i have changed outbound NAT for.
pfSense i also tried enabling a second WAN interface and changed all the outbound NAT rules to use that interface, but still no luck.one thing i keep seeing is that when i add a second interface it monitors the gateway and it gets no status:
Name Gateway Monitor Status Description
GW_WAN xx.xx.xx.xx Gathering data Gathering datathe first interface i have added (default gateway is set on this) works fine and it reports RTT and online status.
can this have an impact? -
It should report a status if it is setup correctly. If you manually ping the address it should fail also. My guess is that this has a impact if that is the interface you are trying to use. Did you use an IP addresss in the same range as WAN or is that a completely different ISP/conntection?
-
gateway is the same for all the IPs from the same ISP.
my ISP allocates me 5 addresses on my ADSL bridge which i then configure as 1 interface for per IP on the pfSense (DHCP allocated).
i have no static routes or other gateways defined elsewhere. pfSense has a OPT interface in my DMZ and a LAN interface for well - LAN and management. -
Honestly, it sounds like you have a split route problem which is creating a state problem. I am guessing that you are seeing dropped packets in the firewall logs. Have you tried proxy arp yet?
-
Have not tried proxy ARP - dont know if i can as it seems to require virtual IP (Static IP) which i cant do as the IPs i get from ISP has to be DHCP.
But this is really strange…
Now i deleted all the manual outbound NAT rules, switches back to automatic (i only had 1 WAN interface configured at the time) added a second WAN interface, created HTTPS NAT rules to 2 different machines internally on my DMZ (same subnet) and now it works...
All DMZ machines go out on the same IP even though they have different inbound NAT rules.When switching back to automatic outbound NAT is that equal to it keeping the settings from when i had a single WAN interface?
But whats even strange is that if i now with 2 WAN interfaces enable manual outbound NAT it continues to work - and i still have those 2 overlapping outbound NAT rules where my 192.168.190.x/24 looks like it has 2 outbound rules - one via each WAN interface. -
Basically, yes, the AON is equivelant to having only one WAN connection. If you want a server to use a particular IP, try 1:1 NAT and not manual outbound NAT. I would only use MON if you are going map a whole subnet to a particular WAN.
-
and now im back to it not working again :)
decided to just have 1 pfSense for every external IP i have and then map 1:1 with a DMZ VLAN. Not pretty but that i can get working.
Thanks everyone for helping though!
