Routing LAN VLAN to to WAN VLAN
I am going to start off with an apology, this could fit into 3 different categories here, Moderators please feel free to move with impunity if this is not the proper place for this post.
So I have an interesting setup, for those who would ask "Why the hell would you want to do that!?!" The answer is a simple, we are in a transitional period here, and allowing this lan vlan to nat to the default wan vip would be a security risk now, in the future it would still be nice to have different traffic go out of different subnets.
Here is the current setup:
VLANS 360 370 371 372 373 374 395
Desired routing outcome:
VLANS 360 370 371 372 373 374 395 route through to WAN vlan 83 via VIP (this currently works!)
VLAN 384 Route through to WLWAN VLAN 81 via VIP (Not functioning)
PFSense Version 2.4.1
Currently using Manual NAT, CARP, and 2 systems for failover. For testing have stopped CARP currently only using a single system.
So what we are trying to do is configure this to where anything routing through the firewall from vlan 384 should make it to the internet via vlan 81, what we are actually seeing is the raw requests with the rcf1918 ip addresses hitting local devices beyond the firewall. I have the NAT rules in place, however they seem to be ignored. However if I change the nat rules to go to through the WAN interface, it all works fine. I should also note that the gateway for both VLANs have been added and are pingable.
Basic rules look like:
Rule: Any traffic from WLLAN to be pushed through to ip (WLWAN VIP).
There is also the firewall rule for the WLLAN which is allowing anything sourced from the WLLAN through.
And all the interfaces are configured and functional (the WAN Interfaces are both able to ping google, as an example, from the VIPs).
I am sure I am missing something simple, and I appreciate any help that can be provided.
Please feel free to ask any questions, or inquire for further information if there isn't enough provided.
I am sure you can see where my confusion lies on the part of where to post this.
Did you setup a manual outbound Nat rule for your wlwan?
Yes I did.
That should work, can you post your configs?
Sorry for the delayed response, I was out most of last week.
Here are some screenshots of the configs.
It does seem to be working now, though I don't understand why.
When I changed the oubound nat rule from using the WLWAN to the WAN interface, it started working. I am not a networking expert by any means of my imagination, this makes no sense to me. I would assume that the VLAN Tagged interface would be the interface that one should use, not the interface with a different VLAN Tag. For now this can be marked as solved wtih questions.
Thanks for all your help and time.
I'm glad you got it working. Normally when you want to do policy based routing and you have multiple WANs you would create a rule under that interface setting the gateway to the WAN interface of your choice. Then you have to go to the outbound nat and I usually set it to hybrid mode and I set a rule like something below:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description Actions
WAN 192.168.45.0/24 * * * WAN address * Default GW
Order here matters I believe (first match wins) so if your interface rule says to use WLWAN but the NAT outbound rule that matches first says to use the WAN then the traffic would be dropped. Looks like you have your interface rule set to any (*) which is allowing the desired behavior.
When I changed the oubound nat rule from using the WLWAN to the WAN interface, it started working.
That is because that is how it works. No mystery here. Outbound NAT on the WLWAN interface NATs traffic going out WLWAN, not WAN.
Outbound NAT does zero to affect what traffic is routed where. It only defines what translations take place when traffic flows out that interface.