Load-balanced & fail-over WAN group with NAT, with IPsec bridge behind

  • Hello.

    I want to upgrade my office network with a pfSense machine, and I have some doubts.

    Here's what I was thinking to do:

    I have multiple ISPs. One (let's call it A) routes some static IP addresses to our pfSense (let's say, but let's not exclude, in principle, 4 non-contiguous IP addresses). Two more ISPs B and C are cheapo ADSL PPPoE providers, which give us two more public IP addresses (let's say they are static, and they are and

    First thing: set up the interfaces.

    • For the LAN, there's no problem. Select the physical ports, set address to, say,, and set up DHCP on, say,

    • For ISPs B and C everything is easy because the PPPoE peer has DHCP, so pfSense can do addresses & gateway & routing tables automatically for those.

    • For ISP A I set as my IP address, and then my first doubt arises: what would I use as a gateway? One possibility that comes to my mind is that ISP A's router has a public IP address for the PPP connection it uses to connect to the ISP's premises, let's call it, with the peer being, and I could set the gateway to Or should I simply leave the gateway empty for the interface, since is not in the same network anyway? Would that even work? If not, what would?

    Once the interfaces are set-up, I would set alias IP addresses for ISP A as needed. Then I would set up a gateway group and configure it for load-balancing & fail-over

    Next up, I'd set up NAT for Internet browsing et similia from the LAN to the the newly created gateway group.
    Here, the second doubt arises: Can I configure the NAT for only using some or one IP addresses on an interface with aliases?
    I.e. I want the NAT to use the public IP addresses from ISP B and C and only one of the IP addresses from ISP A (and use the other ones for "DMZ-type" machines, e.g. a self-hosted mail or web server, using 1:1 NAT). I know this is possible when NATting a LAN to a single interface with multiple IP addresses, but can it be done when NATting a LAN to a gateway group containing an interface with multiple IP addresses?

    Last but surely not least, one of the LAN clients would have to be someone else's trusted machine (Cisco 800 router, if that helps in any way, only used as a client i.e. with a single interface configured with fixed address which would initiate a IPsec connection to a remote peer to create a tunnel to a private network (let's say And this of course would go through the pfSense NAT. More (hurtful) doubts arise:

    Provided that currently (a) it works through my only ISP's NATted public fixed IP address, possibly because the company that owns the Cisco router asked me to NAT 1:1 a range of ports (i.e. port forward) from said IP address to the local Cisco's IP address, and (b) I cannot configure the tunnel on pfSense directly but only on this router, …

    • …would it still work with the multiple WAN IP addresses (one at a time, in fail-over)...

      • …with the same port forwarding configuration?

      • …even without port forwarding, configuring the Cisco router to initiate all connections?

    • If not, and (obviously, at this point) sacrificing fail-over, would it work with 1:1 NATting one of ISP A's public IP addresses to the Cisco? (I'm pretty sure it would, because why wouldn't it? but I'm asking, just to be sure, encrypted tunnels are tricky).

    Then, in whichever way I manage to make the tunnel on the Cisco router work, all I need to do is to create a high-priority firewall rule on pfSense redirecting all packets with destination to (the Cisco router), right?

    Sorry for the long post. I hope everything is clear.
    Please feel free to answer even partially, everything helps!

    Best regards.

  • I made a diagram to show the described scenario visually:

Log in to reply