Multiple GW and ISP

tomli · Oct 28, 2020, 9:11 AM

Hi All,
Pfsesnse version: 2.4.5-P1
Network Diagram

User come from ISP2, can I configure Pfsense to route the traffic through Router2? Please advise.

stephenw10 · Oct 28, 2020, 3:46 PM

How is the user connecting? Through a VPN server on WAN2?

Yes, you can probably policy route their traffic back out via WAN2 if you need to.

Steve

tomli · Oct 28, 2020, 10:20 PM

It is not vpn connection, user open the broswer and input http://isp2 public ip/, then router2 pass the traffic to pfsense.

I don't want to do SNAT in router2. Would you mind showing me how to do policy route.

Thanks.

johnpoz · Oct 28, 2020, 10:51 PM

So pfsense doesn't really know about ISP 2? It just has a gateway to ISP 1 router?

Or are these 2 wan connections in pfsense?

I take it router 1 is like 192.168.1.1 and router 2 is 192.168.1.X?

tomli · Oct 28, 2020, 11:45 PM

So pfsense doesn't really know about ISP 2? It just has a gateway to ISP 1 router?

**Yes. pfsense configured Gateway only.
isp1 (default gateway)
isp2 (gateway)

Ipv4 Gateway: Automatically**

Or are these 2 wan connections in pfsense?

1 wan connections in pfsense (wan: 192.168.1.x)

I take it router 1 is like 192.168.1.1 and router 2 is 192.168.1.X?

Correct

johnpoz · Oct 29, 2020, 1:01 AM

Well only way you could do what you want is know what the source IP is going to be, and route back through isp2.. Or source nat so it looks like it came from router 2.

If you create 2 wan connection in pfsense. Then you can do what you want.. But if pfsense only has 1 wan.. no you can't

stephenw10 · Oct 29, 2020, 6:54 PM

Not clear why you want to source NAT at all here......

Do you mean you want users who connect to the webserver behind pfSense via the ISP2 public IP to get replies back via that WAN?

Generally that will happen by default anyway.

What are you seeing happen currently that isn't what you want?

Steve

tomli · Oct 29, 2020, 11:40 PM

router1/2 cannot set SNAT. It is because my web server can not get the user real source ip in my web access log.
user from isp1 - router 1 , pfsense will go back to router 1. user from isp2 - router2, pfsense will go back to router2.

johnpoz · Oct 30, 2020, 12:03 AM

Just create another interface on pfsense for router2, and it will work like you want out of the box..

Pfsense will do reply-to when it has 2 interfaces.. But since traffic is coming into the same interface from 2 different sources. I do not believe pfsense will send traffic back to the mac address of router2.. When the source of traffic is some public IP.

I know of no way to insure that what happens? So just setup 2nd wan.. Use vlan if you must.. What switch do you have between router1 and 2 and pfsense wan? As long as it supports vlans take 2 minutes to setup the 2 wans.

stephenw10 · Oct 30, 2020, 2:23 AM

Yup, that^. Just use two interfaces in pfSense and that will be the default behaviour.

Otherwise reply-to uses the gateway defined on the interface.

Steve