Multi-WAN Mulit-LAN Policy Based Routing Issue (no load balancing)

  • Summarry:

    I have a pfsense box which which has two LANs and two WANs. The box simply NATs all outgoing traffic. What I want to achieve is that LAN1 goes via WAN1 and LAN2 goes out via WAN2. In order to do this we need Policy Based Routing. No load balancing or any other fancy stuff.

    WAN1: x.x.x.x/29 with default GW
    WAN2: y.y.y.y/29 without default GW

    Note: I am unable to NOT have a default gateway. If I disable it in the gateway settings and apply, nothing changes.


    Firewall Rules:
    LAN1: Allow All with a source of LAN1, any destination, set gateway to WAN1
    LAN2: Allow All with a source of LAN2, any destination, set gateway to WAN2

    Manual Outbound NAT(AON)
    NAT_Rule_1: Interface: WAN1, Source:, Source Port: *, Destination: *, Destination Port: *, NAT Address: WAN1 Address, NAT Port: *, Static Port: Randomize
    NAT_Rule_2:Interface: WAN2, Source:, Source Port: *, Destination: *, Destination Port: *, NAT Address: WAN2 Address, NAT Port: *, Static Port: Randomize

    What works:
    Traffic sourced from LAN1.

    What does not:
    Traffic sourced from LAN2.

    P.S. - I tried automatic NAT, both LANs were working, however traffic was only going out via WAN1.

  • Your configuration is correct.
    Make sure, what:
    gw_wan1 and gw_wan2 use DIFFERENT monitoring addresses, or disable monitoring for gw_wan2 completely.
    you rebooted pfsense after mangling with NAT rules.

    Side note - your configuration should work with Auto and Hybrid NAT too, because they only define how outgoing traffic should be NATed on specific interface.

  • Thanks for the reply.

    • The monitoring IPs for the two gateways are different.
    • I have not tried rebooting the device. If this fixes it, I will submit a bug report as In my opinion you should not need to reboot a device to properly apply NAT rules.

    As I remarked I did try Auto and Hybrid mode, however in that case the traffic got routed only via WAN1.

  • Hi All,

    A quick update for anybody pondering the same issues. The configuration described above works beautifully, with one minor drawback(or major, depends on your point):

    You CANNOT test it from the pfsense itself (meaning you cannot use /Diagnostics/Ping and use one of the LAN IP addresses as source). The second(or third) interface for which Policy Based Routing is necessary will fail to ping to the outside(via WAN2). It appears PBR works for traffic which does not originate from the device doing the PBR (in this case pfsense). This is especially annoying when you do not have physical access to a device on the LAN networks.

    So if your ping tests from the pfsense fail, do not worry and test from a device in the particular network you are PBR-ing.

    Hopefully this helps other people.

    edit: No restart was needed. :)

Log in to reply