How to configure multiple WANs on one Uplink

jvandeleur

Hi all,

I'm very new to pfSense, but got requested to configure one for the company.

I've almost got everything configured, but am stuck at how to let all our WANs
go through one uplink address. From what I am hearing, this should be possible
to accomplish. I've tried looking it up on both the pfSense Guide as well as
the forums, but since I can't find a related situation to mine, I hereby ask you
guys for some help.

What it looks like now (with example WAN IP's):

WAN1: 000.000.000.58 with internal IP addresses on LAN1: 192.168.1.1 - 192.168.1.245
WAN2: 000.000.000.61 with internal IP addresses on LAN2: 192.168.2.1 - 192.168.2.245
WAN3: 000.000.000.59 with internal IP addresses on LAN3: 192.168.3.1 - 192.168.3.245

The way I have it set up now is as follows:

-First I configured all the interfaces, whereas I now have 3 WAN interfaces with Static IPv4
addresses configured. Example: WAN1 interace has a static IP of 000.000.000.59 and an
IPv4 Upstream Gateway: 000.000.000.57 (which would be the broadcast address for all WANs).

The problems start right here, because I can't add this address to anymore interfaces, because "it
already exists", but isn't selectable from the drop-down menu. This is one of the reasons why we
want one WAN interface to handle all three of our WAN addresses with one uplink address.

So the question in short: is there a way to have one uplink/upstream address for all WANs.
And if so, is there also a way to have just one WAN interface and three LAN interfaces in the
following way:

WAN interface must have an uplink/upstream gateway of: 000.000.000.57 for the following
WAN addresses: 000.000.000.58, 000.000.000.59 and 000.000.000.61 whereas

WAN1: 000.000.000.58 = for LAN1 interface w/ internal range of: 192.168.1.1 - 192.168.1.245
WAN2: 000.000.000.61 = for LAN2 interface w/ internal range of: 192.168.2.1 - 192.168.2.245
WAN3: 000.000.000.59 = for LAN3 interface w/ internal range of: 192.168.3.1 - 192.168.3.245

WAN interface is not going to get a DHCP function, because it needs to be all three of the
WAN addresses. The LAN interfaces are going to get the DHCP function for the ranges listed above.

In other words

• all traffic from the 192.168.1.x range must go through the WAN interface as
  000.000.000.58 and then through the uplink of: 000.000.000.57

• all traffic from the 192.168.2.x range must go through the WAN interface as
  000.000.000.61 and then through the uplink of: 000.000.000.57

• all traffic from the 192.168.3.x range must go through the WAN interface as
  000.000.000.59 and then through the uplink of: 000.000.000.57

Can this be done, yes or no?

If you need any more information, feel free to ask and I'll happily elaborate.

Thank you very much in advance!

Grtz,

Jeff

jammcla

You need to use manual outbound Nat.

One WAN interface and multiple LAN interfaces.

First get down to 1 WAN connection.

Second create Virtual IPs for the other IPs that you need on the WAN connection.

Firewall -> Virtual IPs

Create IP Alias for the other WAN IPs

Third Create manual outbound NAT rules.

Firewall->NAT and then the Outbound Tab.

jvandeleur

Hi Jammcla,

Thanks for your input, however I've been told that I should rephrase my question in
order to get good replies.

So what we want is to have just one WAN interface to carry over 3 WAN ip adresses

(in total 4, since the interface needs one as well).

WAN interface static IP: xxx.xxx.xxx.62
WAN distributed IP1: xxx.xxx.xxx.58 which would need to be connected to LAN

interface 1, which should have DHCP on for a range of 192.168.1.10 to 192.168.1.245
WAN distributed IP2: xxx.xxx.xxx.59 which would need to be connected to LAN

interface 2, which should have DHCP on for a range of 192.168.2.10 to 192.168.2.245
WAN distributed IP3: xxx.xxx.xxx.60 which would need to be connected to LAN

interface 3, which should have DHCP on for a range of 192.168.3.10 to 192.168.3.245

What I've done so far:

I've configured the WAN interface as follows:

Static IPv4
IPv4 address: xxx.xxx.xxx.62
IPv4 Upstream Gateway: xxx.xxx.xxx.57
IPv6 none.

---

I've configured the LAN interfaces as follows:

Static IPv4
IPv4 address: 192.168.1.1*
IPv4 Upstream Gateway: none

*for lan2 i've used 192.168.2.1 and for lan3 i've used 192.168.3.1

---

Services>DHCP server

WAN interface: disabled

LAN interfaces: enabled, only filled in the ranges accordingly (i.e. for lan1

192.168.1.10>192.168.1.245, for lan2 192.168.2.10>192.168.2.245, for lan3

192.168.3.10>192.168.3.245).

---

Made 3 virtual IP's:

Type: Proxy ARP
Interface: WAN
IP Address(es): Type: Single
                      Address: xxx.xxx.xxx.58

Type: Proxy ARP
Interface: WAN
IP Address(es): Type: Single
                      Address: xxx.xxx.xxx.59

Type: Proxy ARP
Interface: WAN
IP Address(es): Type: Single
                      Address: xxx.xxx.xxx.60

---

Last but not least, I configured the Outbound NAT as follows:

Interface: WAN
Proto: any
Source: Type: Network
    Address: 192.168.1.0/24
Destination: any
Translation: xxx.xxx.xxx.58

Interface: WAN
Proto: any
Source: Type: Network
    Address: 192.168.2.0/24
Destination: any
Translation: xxx.xxx.xxx.59

Interface: WAN
Proto: any
Source: Type: Network
    Address: 192.168.3.0/24
Destination: any
Translation: xxx.xxx.xxx.60

I know I've either done something wrong or I've forgotten about something,
because what's happening now is that I can ping nearly every address from my
LAN1 interface (which has the 192.168.1.1 range) but not from the other LAN
interfaces.

Example: from LAN1 interface I can ping the following addresses:

xxx.xxx.xxx.62
192.168.1.1
192.168.2.1
192.168.3.1

Another thing that is happening is that I can use all three
gateways on the LAN1 interface to get into the WebConfigurator
(so instead of just being able to connect via 192.1368.1.1, I can
also connect using 192.168.2.1 and 192.168.3.1).

Now, when I switch interface however to LAN2 or LAN3, I am
not able to ping any IP adres, not even the "gateway" addresses
and I can't log into the WebConfigurator.

Example:

From the LAN2 interface (with range 192.168.2.10>192.168.2.245)
I can't ping the following addresses:

xxx.xxx.xxx.62
192.168.1.1
192.168.2.1
192.168.3.1

Also, now I can only log into the WebConfigurator via 192.168.2.1, not via 1.1 or

3.1, which is what I want.

It seems to me now that it kinda works, but only on the first LAN interface, since that's
the interface where I can ping every IP. What seems off though is that from that first
LAN1 interface (192.168.1.1 range) I can use 192.168.1.1, 192.168.2.1 and 192.168.3.1 to
log into the WebConfigurator, as if all IP's are connected to that interface somehow.

Can someone please explain what I'm doing wrong here?

Thanks :)

ashima

Hi jvandeleur,

Have you created Firewall rules for LAN2 and LAN3 as in LAN1. By default, pfsense create pass rule for 1st LAN interface. For other LANs you have to manually create. (Just copy the rules from LAN1 and make appropriate changes). I think this is what you are missing.

Ashima

chris4916

The reasons why you do need multiple WAN interfaces is not clear to me.
I can easily understand that you may need multiple public IP addresses but if all belong to same subnet, all you need is one unique default gateway.
If not, then please explain again because for the time being, I'm lost with your design  :-[

jvandeleur

Hi Ashima,

Thank you very much for your reply. It now works perfectly! Every LAN interface now has different
IP ranges en go through one WAN interface as seperate WAN IP addresses!

Chris4916, I might have explained it the wrong way. I didn't want multiple WAN interfaces. I just wanted one WAN interface with multiple WAN IP addresses going through it for the different LAN interfaces.

So now I have just one WAN interface with a static IP of xxx.xxx.xxx.62.
Through this interface I have virtualized 3 WAN IP's: xxx.xxx.xxx.58 for LAN interface 1 (with internal range 192.168.1.0);
xxx.xxx.xxx.59 for LAN interface 2 (with internal range 192.168.2.0);
xxx.xxx.xxx.60 for LAN interface 3 (with internal range 192.168.3.0).

So all LAN interfaces go through one WAN interface, but as seperate WAN IP's, which is what I wanted :)

Do you know understand what I mean? If not, just let me know and I might be able to clarify in another way :)

In any case, it's working now thanks to multiple inputs from multiple users and forums, for that thank you!