Multi-WAN Routing NAT problem



  • Hello,

    I am using the pfSense 2.3.4 version on a Fujitsu RX 100 S6. I have attached another network card to have 4 NICs on the Fujitsu server. I also have two physical WANs and a FortiGate 60d Firewall that I have to integrate into the system. The FortiGate 60d is a firewall for a connection to another company. The FortiGate does not tunnel the internet connection and that is why I have to input 3 NICs to the router (1 NIC for WAN 1, 1 NIC for WAN 2 and 1 NIC for the VPN).

    Network map

                    WAN                     WAN
                     :                       :
                     : DSL                   : DSL
                     :                       :
                 .---+---.                .--+--.
           WAN 1 |  DSL  |     Modems     | DSL | WAN 2
                 '---+---'                '--+--'
                     |                       |
            Ethernet |                       | Ethernet 
                     |                       |
                .----+----.             .----+----. 192.168.78.1/24   .----+----------.
                | Router1 |    Router   | Router2 +-------------------+ FortiGate 60d |
                '----+----'             '----+----'			  '----+----------'
                     |			 |			       | 192.168.78.25/24
                     |			 |			       |
                     |			 |			       |
                     |			 |			       |
                     |			 |			       |
                     |			 |			       |
      192.168.0.1/24 |                       | 192.168.78.1/24             |
                     |                  .---------.                        |
                     +------------------| pfSense |------------------------+
            192.168.0.80/24             '----+----' 192.168.78.50/24
                                             |
                                         LAN | 10.0.0.1/24
                                             | 
                                       .-----+------.
                                       | LAN-Switch |
                                       '-----+------'
                                             |
                                     ...-----+-----...
                                     (Clients/Servers)
    

    What I try to achieve.

    • WAN 1 and WAN 2 load balancing - works already as expected. I have followed the following tutorial, but I had to make a small change to be able to utilize both WANs. Otherwise during speed tests I could see, that only one of the two NICs were used. So I had to delete the rules for Link Failover (step 7) and then both interfaces were used in parallel.

    • Integrate the FortiGate 60d firewall. The firewall enables us to connect to some resources of another company. Those resources are reachable unter the IP subnet 94.0.0.0/8. There is also a pingable DNS server of the other company located at 94.41.32.23.

    What I have done.

    • Setup 3 interfaces for those 3 NICs

    • Load Balancing for WAN 1 and WAN 2

    • DNS Server of the other company - to be able to resolve the foreign ressources

    • Static Route for the subnet of the foreign company

    • DHCP server for the local clients on LAN

    The current status.

    • Routing, DNS, DHCP works fine for the clients (10.x subnet). The clients connect to the internet via both WANs

    • Regarding the Firewall of the foreign compoany. On the pfsense I can resolv URLs to the right adresses. So, on the pfsense the DNS works already. But if I try to telnet {specific_another_companys_url} 443, I can connect to the foreign server, but if I try to get the index page of the server GET /, the connection is immediately closed. I think that my request goes correctly out to the foreign server (Because of the static route), but the response to the pfsense is wrong, because some NAT rules or something else is missing.

    I appreciate any help or tipps!

    Kind regards,
    vrugaitis



  • Hello,

    I have managed to resolve the issue myself.

    For those, who stumble upen similar situraion, I only had to define a LAN rule to sent all traffic with the destination 94.0.0.0/8 through the VPN gateway.

    Kind regard,
    vrugaitis