Dual WAN, both NAT's work at the same time?



  • Hello.

    I am new to multi-wan on PFSense.  I am hoping the comunity here could help me determine if I can do what I hope is simple.

    Today I have a PFSense with 3 Interfaces and I have a single WAN and a single LAN.  On my LAN I have a FTP server.

    PFSense is configured with 66.92.1.12 /24 for it's WAN Interface.
    PFSense is configured with 10.10.1.1 /24 for it's LAN Interface.
    On my LAN I have a FTP server with the IP of 10.10.1.20
    In PFSense I have a NAT 1to1 mapping for the FTP server.  66.92.1.13 maps to 10.10.1.20
    I have opened the proper ports on PFSense for FTP to the FTP Server.
    So today, remote users can FTP to 66.92.1.13 and get to my FTP server.

    Lets say I wanted to split up my remote users who access my FTP server over two Internet connections.

    Lets say I buy a 2nd Internet Connection.
    I configure the OPT Interface for the 2nd Internet Connection.
    Lets say I configure the OPT Interface with 12.24.2.2/24.
    Would I add a 1to1 NAT for my FTP server: 12.24.2.3 mapts to 10.10.1.20?

    Would both NAT's work?
    My concern is that connections could come through Internet1 and go back out Internet2 (causing problems).
    Would PFSense route connections back out the same Interface that the connections were established?
    How would PFSense route traffic that originates from my FTP out to the Internet?  Is there a preference setting?

    Thanks for the help!



  • Anyone?



  • You cannot have two 1:1 NAT entries to the same server at the same time.
    You can however have two normal NAT-forwardings to the same server.

    @http://forum.pfsense.org/index.php/topic:

    My "personal solution" to ftp-problems:
    quote= http://forum.pfsense.org/index.php/topic,10844.msg60345.html#msg60345
    1: Disable the ftp-helper on all interfaces.
    2: Define a port-range on your ftp-server for the data-transfer.
    3: forward port 21 and your data-transfer-range to your server. You can do that for multiple WANs.

    If you dont really need 1:1 NAT i wouldnt use it.



  • @GruensFroeschli:

    You cannot have two 1:1 NAT entries to the same server at the same time.
    You can however have two normal NAT-forwardings to the same server.

    @http://forum.pfsense.org/index.php/topic:

    My "personal solution" to ftp-problems:
    quote= http://forum.pfsense.org/index.php/topic,10844.msg60345.html#msg60345
    1: Disable the ftp-helper on all interfaces.
    2: Define a port-range on your ftp-server for the data-transfer.
    3: forward port 21 and your data-transfer-range to your server. You can do that for multiple WANs.

    If you dont really need 1:1 NAT i wouldnt use it.

    Excuse me. Could you please explain why we can not have two 1:1 NAT with two public interfaces?
    With one WAN-interface I agree it is impossible, but with two… I have just tried out of curiousity:
    binat on em0 inet from 192.168.1.40 to any -> xx.xx.xx.219
    binat on bge1 inet from 192.168.1.40 to any -> 1.1.1.219
    binat on em0 inet from 192.168.1.40 to any -> xx.xx.xx.219
    binat on bge1 inet from 192.168.1.40 to any -> 1.1.1.219

    Just trying to understand theory.
    Thanks.



  • The problem is:
    1:1 NAT is bidirectional.
    Meaning traffic leaving from the 1:1 NATed server will be translated to the public IP.
    Now if you have 2 public IP's 1:1 NATed to a single server….

    This would mean traffic would leave over 2 IP's at the same time which is not possible.



  • @GruensFroeschli:

    The problem is:
    1:1 NAT is bidirectional.
    Meaning traffic leaving from the 1:1 NATed server will be translated to the public IP.
    Now if you have 2 public IP's 1:1 NATed to a single server….

    This would mean traffic would leave over 2 IP's at the same time which is not possible.

    Correct me if I am wrong. To allow traffic from inside to outside you have to create rule. In this rule you have to specify gateway. Here you either use default routing, one interface, another one or one of balancers you have created. So, I suppose the public IP will be chosen according to what you specify here. No?



  • Yes. For the normal outbound traffic.

    If you 1:1 NAT something you specify a source.
    –> a VIP or a WAN.
    --> outbound traffic will appear as if from this WAN or VIP.

    Now if you have two WANs and 1:1 NAT both WAN's to the same server.
    When the server sends something to the internet this outbound traffic should be NATed to both WAN's/VIP's at the same time.
    That's not possible. Traffic can only leave via one WAN/VIP and not at the same time via another.

    1:1 NAT and normal NAT are not the same.

    That's why i wrote:

    You cannot have two 1:1 NAT entries to the same server at the same time.
    You can however have two normal NAT-forwardings to the same server.

    @http://forum.pfsense.org/index.php/topic:

    My "personal solution" to ftp-problems:
    quote= http://forum.pfsense.org/index.php/topic,10844.msg60345.html#msg60345
    1: Disable the ftp-helper on all interfaces.
    2: Define a port-range on your ftp-server for the data-transfer.
    3: forward port 21 and your data-transfer-range to your server. You can do that for multiple WANs.

    If you dont really need 1:1 NAT i wouldnt use it.



  • Ok, thank you for explanation.


Log in to reply