How to do use this NAT?
-
No idea based on that description. Sorry. Please post more details.
-
Sorry.
WAN1 -- 192.168.15.2/24 and gateway set to 1.2.3.254
WAN1 have five CARP IPs.
WAN2 -- 192.168.20.2/24 and gateway set to 5.6.7.254
WAN2 have file CARP IPs.
LAN1 -- 192.168.0.0/24
LAN2 -- 192.168.10.0/24
Outbound NAT set LAN1 to WAN2 CARP IP. Set LAN2 to WAN1 CARP IP.
I set default gateway as WAN2.
It's only LAN1 user can go to internet. LAN2 user can't go to internet.
If I set default gateway is WAN1.
It's only LAN2 user can go to internet. LAN1 user can't.
How to set it? -
You do not route traffic with Outbound NAT rules. You route traffic with policy routing rules.
Set your Outbound NAT for all inside source addresses on both WANs to the proper CARP VIP.
Policy routing determines what traffic flows out which interface.
https://docs.netgate.com/pfsense/en/latest/book/multiwan/policy-routing-configuration.html#policy-routing-configuration
-
So in addition to setting the Outbound NAT to the CARP IP, also set the Gateway in LAN1 and LAN2's Rules, right?
-
Hello,
I has set finish all WAN and LAN setting and success it. But I have another problem. I set openvpn on it and click on redirect ipv4 gateway this option. But when client connect openvpn server. It's can't go to internet. If I click off redirect ipv4 gateway. It's can go to internet. But it's use original IP. I has set firewall rules all allow for OPENVPN tab. Could any loss another setting? -
Outbound NAT for the tunnel network source addresses. Again, the NAT address should be the CARP VIP just like for any other inside network.
You also need to pass all traffic on the OpenVPN firewall rules.
-
Thanks a lot. I have another question. I has set some NAT setting.
NAT Reflection mode --> PureNAT
Enable NAT Reflection for 1:1 NAT --> check on.
Enable automatic outbound NAT for Reflection --> check on.
But user can't browser intranet web page when this web page resolve IP is CARP IP.Could I miss another setting? -
Doesn't sound like it. Split DNS is generally considered a more effective solution.
But it depends. You'll have to post everything including the firewall rules for the interface the users are sourcing from.
-
I got some pic about firewall rules.
Please see attachment.
I have not set any block rules. Could have any problem? -
What, specifically, is not working?
