Outbound packets through same gateway



  • Greetings,

    I'm trying to configure a pfsense router with two NICs, one of then in a subnet with two gateways to the internet, and another one on my LAN.

    Connections from my LAN hosts work perfectly, the problem is with incoming connections. When a connection comes from the second gateway, the NAT rules forward the connection to the server on the LAN, but then the reply from the server gets routed through the default GW, not the one from where the connection came. You can picture the scenario in the attached image.

    Is there a way to make the outgoing packets stick to the source gateway? I've tried tagging the packets with rule when they come through the WAN, and then matching that tag when the reply comes in through the LAN interface to no avail. And setting the gateway on the incoming packet on the WAN interface doesn't work also.

    Thanks in advance, Marcos.




  • @feirlane:

    Is there a way to make the outgoing packets stick to the source gateway?

    Yes, if you've got a way to let pfSense know which gateway the packets are coming from.

    It seems your pfSense has got just one WAN interface and is connect with the gateways via a switch. So how should pfSense know where the packets are coming from?
    But as you use private IP range on the WAN net, I assume you do double NAT. So you can do the trick by using different network ranges between the gateways and pfSense and assign both to pfSense WAN interface.
    Not a perfect solution, but should work this way.



  • Move one of those to a different interface and IP subnet. That's much cleaner in general anyway, and then the reply-to can appropriately handle return routing.



  • First of all, thank you sou much for your replies!

    Sadly I can't add more NICs to the firewall, so having multiple WAN interfaces is not an option.

    Assigning multiple IPs to the WAN interface could do the trick, but my employer wanted to set up CARP on both sides of the firewall. Does this mean I'd have to create a CARP interface for each gateway, and one for the LAN?

    Given that I already am configuring the NAT rule on the firewall (firewall_port->internal_host:internal_port), would a rule on the LAN filter (internal_host:internal_port->specific_gateway) do the trick? This way I'd only have two CARP interfaces independently of how many gateways I'll have in the future, which probably be more than two.

    Thanks!



  • Yes, I assumed that you have no free NIC. So the only solution I know, is the dirty one mentioned above.

    @feirlane:

    would a rule on the LAN filter (internal_host:internal_port->specific_gateway) do the trick?

    No, this only affects outbound connections, but not response packets to inbound.

    As said above, put each gateway in a different subnet, e.g.
    GW1: 192.168.1.1/30
    GW2: 192.168.1.5/30

    Change your pfSense WAN interface to 192.168.1.2/30 for the subnet of GW1 and add as virtual IP 192.168.1.6/30 for GW2.
    Now you can add separate filter rules for each WAN address and tag the packets coming in GW2 to direct responses back.



  • @viragomann:

    Change your pfSense WAN interface to 192.168.1.2/30 for the subnet of GW1 and add as virtual IP 192.168.1.6/30 for GW2.
    Now you can add separate filter rules for each WAN address and tag the packets coming in GW2 to direct responses back.

    That won't work to address reply-to though. Must be either a separate physical interface, or a tagged VLAN would work as well. No other option for proper reply-to functionality.