Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding in dual WAN situation

    Scheduled Pinned Locked Moved Routing and Multi WAN
    12 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      edwardwong
      last edited by

      Hi all,

      Recently I've setup a dual WAN (2 different ISP) for my network, by creating 3 different WAN tier levels, I managed to get load sharing + fail over for each link.

      I also created 2 incoming rules for a web service (just normal port forwarding rules on both WAN), everything looks fine, I can connect to either one of them externally, but I found one problem today. One of the optical devices on WAN1 was down due to power interruption, of course connecting to this IP externally won't work, but I soon figured out that connecting thru WAN2 also not working until I have my WAN1 connection restored.

      So I would like to know, do I need to put some more rules or configuration somewhere else? Thanks.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Without seeing your rules it's impossible to say what needs to be changed.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • E Offline
          edwardwong
          last edited by

          Oops, sorry for that.
          I've included the WAN/LAN setting page (WAN2 is 100% identical to WAN so I'm repeating it), any more detail needed?

          WAN.png_thumb
          LAN.png
          WAN.png
          LAN.png_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            If you're having a problem with two WANs you should probably post the rules for the two WANs.  And the NAT rules for both WANs.

            Your LAN rules have absolutely nothing to do with connections from WAN to LAN.

            https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • E Offline
              edwardwong
              last edited by

              But I guess outbound rules might also affect how packet going back to external client?

              Attached are NAT rules for incoming and the outbound NAT

              NAT.png
              NAT.png_thumb
              outbound.png
              outbound.png_thumb

              1 Reply Last reply Reply Quote 0
              • E Offline
                edwardwong
                last edited by

                Anyone can provide some hints?

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  It should work as you haVE IT.  What exactly didn't work and what did it tell you was wrong?

                  What pfSense version is that?

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • E Offline
                    edwardwong
                    last edited by

                    With both WAN connecting, it's perfect, I can choose to connect server from either WAN IP.
                    But a few days ago, WAN disconnected because of power failure, then I couldn't connect server even with WAN2 staying there, but inside network, all outgoing connectivity are not affected.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      That makes no sense.  What does "couldn't connect" mean?  What was the error?  Did you do any otehr debugging, like telnet or s_client connecting to the TCP port?

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • E Offline
                        edwardwong
                        last edited by

                        Client side will simply get connection time out error when one of WAN goes down

                        1 Reply Last reply Reply Quote 0
                        • DerelictD Offline
                          Derelict LAYER 8 Netgate
                          last edited by

                          How are they changing IPs?  Dynamic DNS takes time to change over.  Clients will have to reconnect regardless.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • E Offline
                            edwardwong
                            last edited by

                            I bind WAN IP to one domain, and WAN2 IP with another domain, so if WAN/WAN2 goes down, then there should have no problem to resolve IP.
                            So when WAN goes down, I use the domain name of WAN2, still not getting any response until I put back WAN connection, very weird….

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.