Outbound NAT Config with Multiple WAN IPs (but not Multi-WAN)
-
Hello all,
I'm fairly new to pfSense, and I've tasked with setting up a group of two pfSense firewalls in a HA cluster. So far everything has gone smoothly! I do have one question about Outbound NAT configuration that I haven't been able to answer doing research on the web (including these forums).
We have one ISP with multiple WAN IPs that we use on the one connection. As recommended in the pfSense Book, I've configured the firewalls to have one "main" CARP VIP with all of the other VIPs we use added as virtual IP Aliases for the main CARP VIP. The book also mentions configuring the Outbound NAT for "Manual Outbound NAT rule generation" and to change the default rules so the CARP VIP is used as needed instead of the firewall's individual IPs (makes sense to me). The issue for me is that the examples in the book and most of what I've found online are for when you have only one CARP VIP, which isn't our case.
When a given request is made to one of our IPs (and passed to the respective machine on the inside via port-forwarding and NAT), I'm unsure as to how the firewalls should be configured to ensure the response from the internal server is returned via the IP the original request was made to? I'm assuming that stateful connections like TCP will be taken care of with the state tables (please correct me if I'm wrong), but I'm thinking that the Outbound NAT configuration will be important for other types of connections… 1:1 NAT won't work for us because some requests to our public IPs will be routed to a different machine on the inside depending on the destination port.
It has been a while since I've been tasked with a network project like this, so I apologize in advance if the answer is based on networking fundamentals instead of something pfSense-specific.
Thank you for your help!
– Caleb -
The issue for me is that the examples in the book and most of what I've found online are for when you have only one CARP VIP, which isn't our case.
You have multiple CARP VIPs on WAN? That's not necessary and not recommended any more. CARP VIPs make much overheads on the network. It's better to assign just one CARP and IP Aliases hooking up on it.
When a given request is made to one of our IPs (and passed to the respective machine on the inside via port-forwarding and NAT), I'm unsure as to how the firewalls should be configured to ensure the response from the internal server is returned via the IP the original request was made to?
That's the normal behaviour of pfSense. You don't have to care about this.
The outbound NAT is just applied on connections that are initiated from inside your network. -
You have multiple CARP VIPs on WAN? That's not necessary and not recommended any more. CARP VIPs make much overheads on the network. It's better to assign just one CARP and IP Aliases hooking up on it.
That is how I set it up. (See the second paragraph in my original post) Thank you for double-checking that aspect, though!
That's the normal behaviour of pfSense. You don't have to care about this.
The outbound NAT is just applied on connections that are initiated from inside your network.That answers my question perfectly. Thank you!
– Caleb