[SOLVED] Manual Outbound NAT and Gateway Groups
-
I have a fairly stable pfSense installation running with two WAN nics. WAN1 and WAN2.
WAN1 is used for main internet access at the office, while WAN2 is used to access only a certain range of IPs (let's call it x.x.x.x/24).
The reason for this is that we need a better internet access to route traffic for one of our clients.I also have "Manual Outbound NAT" enabled, because my VoIP (FlowRoute) required it so I could connect using a static port to them.
I have the default gateway set as WAN1, and have a static route for x.x.x.x/24 configured to use WAN2. In addition, I have an outbound NAT rule configured to NAT using WAN2 when the destination matches x.x.x.x/24.
This works great, but when WAN2 goes down, I have to manually change both the route and the NAT rule to use WAN1 instead.
I started researching Gateway Groups to tackle this. I configured a Gateway Group with WAN2 as Tier 1, and WAN 1 as Tier 1. However, I can't find how to change my outbound NAT rule (or the static route) to properly use this group.
Thank you in advance.
-
WAN2 as Tier 1, and WAN 1 as Tier 1
I guess you really intend:
WAN2 as Tier 1, and WAN 1 as Tier [b]2[/b]
There is no need for a static route. The gateway group controlled policy-routing effectively does that for you, "moving" the "route" automagically.
You need outbound NAT on both WANs, it can stay the same on both and will just be used when matching traffic happens to come along. In fact, you could just go back to automatic outbound NAT - then whatever traffic happens to be routed out whatever WAN according to the rules, will get NAT applied. A broad general NAT rule does no harm, it does not actually make any traffic route to the WANs concerned. -
Also, if you want most traffic to go out WAN1 and specific traffic to go out WAN2 unless one or the other are down, then send everything over the other, you can make two gateway groups. One with WAN1 as Tier 1 and WAN2 and tier 2, say WAN1_WAN2 and another gateway group with WAN1 as tier 2 and WAN2 as tier 1, call it WAN2_WAN1.
Then you would policy route your specific /24 out WAN2_WAN1 followed by your general rule with WAN1_WAN2 specified. Both will use their tier 2 connection if their tier 1 has problems.
All you need regarding NAT is for each interface to have an entry for the proper source addresses and NAT addresses. The entry only gets used if the traffic is routed out that interface.
-
Thank you for the answers, got it working as suggested.