Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2 WAN - 2 LAN - Portforwarding

    Scheduled Pinned Locked Moved Routing and Multi WAN
    42 Posts 4 Posters 10.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      skalvaro
      last edited by

      Why don't you simply create a rule on LAN2 to allow the traffic from the Client (LAN2) to the TestServer (LAN1)?
      Is it really needed to go over the internet for your testing purposes?

      BTW: Gateways should be set on the WAN side.
      What are your addresses on WAN1 and WAN2? Are these dynamically assigned public addresses from your ISPs?

      1 Reply Last reply Reply Quote 0
      • E
        endy66
        last edited by

        For application developement i need a real world scenario, thats the reason why i should go over the internet, if it is possible. But as i said there seems to be a problem with the gateways for each lan.

        WAN1 is dynamically set by ISP (Cable conmection), and WAN2 has a Static IP from my ISP (ADSL Connection).

        Greetings

        1 Reply Last reply Reply Quote 0
        • S
          skalvaro
          last edited by

          Here is what I have setup:
          Gateways applied on the WAN interfaces, not on the LAN interfaces.
          For each firewall rule that I want to go out a specific WAN interface I explicitly set the Gateway on that firewall rule.
          Port Forwarding is applied on the WAN interface in question.

          What you could try is following:
          Find your upstream WAN2 gateway from the static ADSL Connection.
          On Check System>Routing>Gateways:

          • Create a WAN2GW gateway with the information retrieved from your ADSL Connection provider. –> this will be used in the rule as Gateway
          • Check if you see a WAN1_DHCP entry here which gives you your current WAN1 address. --> This will be used in the rule as the Destination IP
            On Firewall>Rules>LAN2
          • Create a rule with Source your Client and as Destination your current WAN1 address, In the Extra Options section Advanced select the WAN2GW.
            On Firewall>NAT>Port Forward
          • Create a rule making sure you select as Interface WAN1 and as Destination 'WAN1 address', select your protocol and port options as needed and for 'Redirect target IP' enter the ip of the TestServer.

          You should now be able to connect to your TestServer using the Public WAN1 address.

          If this works and you need this setup for a longer time you could think of using 'Dynamic DNS' on WAN1 so you don't need to check your WAN1 address and change the rule whenever your Cable connection gets a new address from your ISP.

          1 Reply Last reply Reply Quote 0
          • E
            endy66
            last edited by

            Thank you i will try that tomorrow and report back.

            Greetings

            1 Reply Last reply Reply Quote 0
            • E
              endy66
              last edited by

              Ok this works like a charm, thank you very much! But now i have figured out a new Problem:

              I have different Portforwardings like in this example:

              • Port 80 Forwarded on Interface WAN1 to LAN1
              • Port 443 Forwarded on Interface WAN2 to LAN1

              Now if my WAN1 Connection goes down, the Portforwarding (Port 443) on Interface WAN2 to LAN1 is not accessible anymore. What could this be?

              Greetings

              1 Reply Last reply Reply Quote 0
              • S
                skalvaro
                last edited by

                Glad you got it working.

                Now if my WAN1 Connection goes down, the Portforwarding (Port 443) on Interface WAN2 to LAN1 is not accessible anymore. What could this be?

                If you are trying to access it from on of your internal LAN addresses (LAN1 or LAN2) then my guess it that a basic security feature of pfSense is kicking in.
                When you try to access your internal server from within your LAN you most likely use the external address. Since WAN1 is down at that moment the packet goes out via WAN2 and gets routed back into WAN2. If this scenario applies to you then it is your basic LAND attack. https://en.wikipedia.org/wiki/LAND
                Your server should however still be reachable from outside of your LAN, so from the Internet.

                1 Reply Last reply Reply Quote 0
                • E
                  endy66
                  last edited by

                  The Access from within my LAN via the external address is working fine, for that i have set Pure NAT. But when the WAN1 goes down, the Services arent accessible from outside of the LANs, they are completely down.

                  Greetings

                  1 Reply Last reply Reply Quote 0
                  • S
                    skalvaro
                    last edited by

                    Sorry, but this situation puzzles me too.
                    I tried to reproduce it but when I disable my WAN1 I get the reverse effect. I can no longer access from inside LAN but access from outside (Internet) remains unaffected. Access to WAN2 and any forwarded services that is.

                    I'm afraid I can't assist you with this one  :(

                    1 Reply Last reply Reply Quote 0
                    • E
                      endy66
                      last edited by

                      And there is no solution to solve this reverse effect? Hmm interesting, that you can accessing from outside the LAN, if the WAN1 is down. How do you configured the WAN1 - LAN1 / WAN2 - LAN2 exactly? i think there is something different on my setup.

                      1 Reply Last reply Reply Quote 0
                      • E
                        endy66
                        last edited by

                        So after i have done a lot of testing, i think i have found the issue, but now i Need help to solve this, because i am not such familiar with pfsense at the Moment.

                        The Problem, that occurs is the following: if my wan1 goes down, all Clients inside lan2 (which connects over wan2 to the Internet) are not able to go online. As pointed out in my testing, this seems a dns issue, so i have checked the dns Servers, which are assigned from my isp. If i go to Status -> Interfaces, the isp dns Servers from BOTH wan Connections are showed up on my wan1 Interface. my wan2 Interface does not have any dns Servers listed. Now i Need a way to assign the dns Servers from isp1 to my wan1 Connection, and the dns Servers from isp2 to my wan2 Connection, then i think the Connection from lan2 -> wan2 will work correctly, if it can take the assigned dns Server.

                        But how to do that?

                        Greetings

                        1 Reply Last reply Reply Quote 0
                        • G
                          GSianos
                          last edited by

                          Andy,
                          can you tell me exactly how connect LAN1 to WAN1 and LAN2 to WAN2?

                          ITControl.gr
                          Everything is possible

                          1 Reply Last reply Reply Quote 0
                          • E
                            endy66
                            last edited by

                            I have added 2 more interfaces, then named them WAN2 and LAN2. On LAN1 i set the default gateway on the Lan Net to all Rule to WAN1. On the LAN2 i set the Lan2 Net to all Rule to WAN2. Is this not the correct way to achieve this seperate LAN-WAN connection?

                            Greetings

                            1 Reply Last reply Reply Quote 0
                            • G
                              GSianos
                              last edited by

                              Can you tell me step by step how to set on LAN2 the GW of WAN2 an the rule?

                              ITControl.gr
                              Everything is possible

                              1 Reply Last reply Reply Quote 0
                              • E
                                endy66
                                last edited by

                                Yes for sure. Ok i go to:

                                Firewall -> Rules -> LAN2

                                and there i edited the "Default allow LAN2 to any Rule" and selected under Advanced Options -> Gateway my WAN2 Gateway.

                                I have done the same for the LAN1 - WAN1.

                                Now i go to System -> Routing and unchecked any default Gateways, so no Gateway is set as Default. Thats all what i have done. I think i missed much more Things do to?

                                Greetings

                                1 Reply Last reply Reply Quote 0
                                • G
                                  GSianos
                                  last edited by

                                  thanks a lot man….its works perfect!!!! :D

                                  what is your problem exactly?

                                  ITControl.gr
                                  Everything is possible

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    endy66
                                    last edited by

                                    No problem:). My issue is, if wan1 goes down (to test i have unplugged the lancable to wan1), lan2 can not resolve any dns names anymore, so no internet access. Can you test this on your setup?

                                    Greetings

                                    1 Reply Last reply Reply Quote 0
                                    • G
                                      GSianos
                                      last edited by

                                      I cant, cause my server is dedicated visualization.
                                      but you cant. if you connect WAN1 to LAN1 and WAN2 to LAN2, LAN1 can not see the WAN2.

                                      maybe you want third WAN (WAN3) as a fail-over for WAN1 and 2

                                      ITControl.gr
                                      Everything is possible

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        endy66
                                        last edited by

                                        No you missunderstood:). I dont want Failover. If WAN1 goes down, then it is ok, that LAN1 is offline! But my Problem is, that if WAN1 goes down, also LAN2 has no Internet Connection, because there seems to be an issue with dns Resolution. If you unplug WAN1 on your pfsense, can you Access the Internet from LAN2?

                                        Greetings

                                        1 Reply Last reply Reply Quote 0
                                        • G
                                          GSianos
                                          last edited by

                                          is you wan1 checked as default?
                                          in the System/Routing/Gateways

                                          ITControl.gr
                                          Everything is possible

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            endy66
                                            last edited by

                                            No i havent set any gateway as default. Do you set a default gateway in your setup?

                                            Greetings

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.