Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound packets through same gateway

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      feirlane
      last edited by

      Greetings,

      I'm trying to configure a pfsense router with two NICs, one of then in a subnet with two gateways to the internet, and another one on my LAN.

      Connections from my LAN hosts work perfectly, the problem is with incoming connections. When a connection comes from the second gateway, the NAT rules forward the connection to the server on the LAN, but then the reply from the server gets routed through the default GW, not the one from where the connection came. You can picture the scenario in the attached image.

      Is there a way to make the outgoing packets stick to the source gateway? I've tried tagging the packets with rule when they come through the WAN, and then matching that tag when the reply comes in through the LAN interface to no avail. And setting the gateway on the incoming packet on the WAN interface doesn't work also.

      Thanks in advance, Marcos.

      pfsense-multiwan.png
      pfsense-multiwan.png_thumb

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @feirlane:

        Is there a way to make the outgoing packets stick to the source gateway?

        Yes, if you've got a way to let pfSense know which gateway the packets are coming from.

        It seems your pfSense has got just one WAN interface and is connect with the gateways via a switch. So how should pfSense know where the packets are coming from?
        But as you use private IP range on the WAN net, I assume you do double NAT. So you can do the trick by using different network ranges between the gateways and pfSense and assign both to pfSense WAN interface.
        Not a perfect solution, but should work this way.

        1 Reply Last reply Reply Quote 0
        • C
          cmb
          last edited by

          Move one of those to a different interface and IP subnet. That's much cleaner in general anyway, and then the reply-to can appropriately handle return routing.

          1 Reply Last reply Reply Quote 0
          • F
            feirlane
            last edited by

            First of all, thank you sou much for your replies!

            Sadly I can't add more NICs to the firewall, so having multiple WAN interfaces is not an option.

            Assigning multiple IPs to the WAN interface could do the trick, but my employer wanted to set up CARP on both sides of the firewall. Does this mean I'd have to create a CARP interface for each gateway, and one for the LAN?

            Given that I already am configuring the NAT rule on the firewall (firewall_port->internal_host:internal_port), would a rule on the LAN filter (internal_host:internal_port->specific_gateway) do the trick? This way I'd only have two CARP interfaces independently of how many gateways I'll have in the future, which probably be more than two.

            Thanks!

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              Yes, I assumed that you have no free NIC. So the only solution I know, is the dirty one mentioned above.

              @feirlane:

              would a rule on the LAN filter (internal_host:internal_port->specific_gateway) do the trick?

              No, this only affects outbound connections, but not response packets to inbound.

              As said above, put each gateway in a different subnet, e.g.
              GW1: 192.168.1.1/30
              GW2: 192.168.1.5/30

              Change your pfSense WAN interface to 192.168.1.2/30 for the subnet of GW1 and add as virtual IP 192.168.1.6/30 for GW2.
              Now you can add separate filter rules for each WAN address and tag the packets coming in GW2 to direct responses back.

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                @viragomann:

                Change your pfSense WAN interface to 192.168.1.2/30 for the subnet of GW1 and add as virtual IP 192.168.1.6/30 for GW2.
                Now you can add separate filter rules for each WAN address and tag the packets coming in GW2 to direct responses back.

                That won't work to address reply-to though. Must be either a separate physical interface, or a tagged VLAN would work as well. No other option for proper reply-to functionality.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.