Port forwarding in dual WAN situation
-
Hi all,
Recently I've setup a dual WAN (2 different ISP) for my network, by creating 3 different WAN tier levels, I managed to get load sharing + fail over for each link.
I also created 2 incoming rules for a web service (just normal port forwarding rules on both WAN), everything looks fine, I can connect to either one of them externally, but I found one problem today. One of the optical devices on WAN1 was down due to power interruption, of course connecting to this IP externally won't work, but I soon figured out that connecting thru WAN2 also not working until I have my WAN1 connection restored.
So I would like to know, do I need to put some more rules or configuration somewhere else? Thanks.
-
Without seeing your rules it's impossible to say what needs to be changed.
-
Oops, sorry for that.
I've included the WAN/LAN setting page (WAN2 is 100% identical to WAN so I'm repeating it), any more detail needed?
-
If you're having a problem with two WANs you should probably post the rules for the two WANs. And the NAT rules for both WANs.
Your LAN rules have absolutely nothing to do with connections from WAN to LAN.
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
-
But I guess outbound rules might also affect how packet going back to external client?
Attached are NAT rules for incoming and the outbound NAT
-
Anyone can provide some hints?
-
It should work as you haVE IT. What exactly didn't work and what did it tell you was wrong?
What pfSense version is that?
-
With both WAN connecting, it's perfect, I can choose to connect server from either WAN IP.
But a few days ago, WAN disconnected because of power failure, then I couldn't connect server even with WAN2 staying there, but inside network, all outgoing connectivity are not affected. -
That makes no sense. What does "couldn't connect" mean? What was the error? Did you do any otehr debugging, like telnet or s_client connecting to the TCP port?
-
Client side will simply get connection time out error when one of WAN goes down
-
How are they changing IPs? Dynamic DNS takes time to change over. Clients will have to reconnect regardless.
-
I bind WAN IP to one domain, and WAN2 IP with another domain, so if WAN/WAN2 goes down, then there should have no problem to resolve IP.
So when WAN goes down, I use the domain name of WAN2, still not getting any response until I put back WAN connection, very weird….