Outbound NAT : Working only on the first interface
-
pfSense Version : 2.1.4-RELEASE(amd64)
Hello everyone,
I have a problem with Outbound NAT
It's on a ESXi server, at OVHI have 2 RIPE blocks of /30 (4 IP)
They each got a virtual MAC adress who is attributed by OVHEach IP is an adapter in esxi, each one with their OVH MAC (00:50:56:xxx)
So in pfSense I have :
em0 + em1 : LAN
em2 + em3 + em4 + em5 + em6 + em7 + em8 + em9 : WANFor the em2 to em9 interfaces, I got a startup script who is adding routes
to the OVH gateway :
route add -net 3FIRSTBLOCKSOF-ESXIIP.254 -iface em2
route add default 3FIRSTBLOCKSOF-ESXIIP.254Rinse and repeat for every other WAN interface (em3, em4, etc)
I got NAT from outside working to LAN ip, which is great
But the problem as stated is for outbound NAT
I want to set a default rule for my LAN block : 172.16.0.0/12 for outgoing
from the first interface, and for individual LAN ip, maybe another outgoing
IP from other em WAN interfacesThe main concern is.. for testing, if I set a outbound NAT with the first
WAN interface (em2) for all my LAN netblock (172.16.0.0/12), all is going
great.. I'm getting internet on my LAN clientsAt the moment I select another outgoing interface in the dropdown menu "Interface",
internet is dropping from my LAN clients and when I make traceroutes I can go
to the pfsense gateway but after there is only * * * in the traceroute for 30 hops.Any idea what is happening ?
Sorry, I searched but didn't find any interesting results.
I'm a begineer in pfSense, I was using Shorewall before and used masq file and all
was going greatThanks for considering my question
Regards,
Tom -
It's still going out the same way, just not being NATed after you moved the NAT rule. NAT strictly defines translations, when traffic is on X interface, do Y. It has no influence on where traffic goes. The recording of the last hang out would probably be useful, as I walked through that type of scenario with multi-WAN NAT. Also gone through in great detail in the 2.1x book. Both available for immediate download after purchase of gold subscription. https://portal.pfsense.org/gold-subscription.php
Though your scenario is a bit unusual because of the way things work with OVH. You don't actually have multi-WAN in this case. Just NAT using the additional WANs' IPs, but using only WAN as that should be your only egress interface in that situation.
There may be additional complications inherent in that setup because of the weird deal of adding NICs to add IPs (which doesn't happen in most any other scenario), as you're going to end up with asymmetric traffic. That gets potentially very complicated depending on specifics, more than I have time to get into here. Definitely something we could go over with you in detail under our support subscription. Nothing insurmountable, it's just complicated because of OVH's setup.
-
Hello cmb,
Thanks for your answer
I'll get a second look
and
I'll ask my CFO about the paid support subscription ;-)Regards,
Tom -
Hello Raks,
I've faced with the same problem.If you have some info share it please.
Thank you.
Regards,
Roman. -
Hi there,
Have you found a solution to your problem ? I'm in the same scenario. I've got an OVH Server 4 Failover IP, 4 WAN interfaces on pfsense.
All my outbound traffic goes out through the first WAN1 Interface. I've tried outbound natting but my traffic won't go out from interface WAN2 or others.
If you've found a solution that would be great !
Cheers,
Ram