Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NAT stops working in Multi WAN when Primary WAN goes down

    NAT
    2
    14
    377
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sandeepl last edited by

      Hi,
      I have two ISPs and both are configured for NAT to a single server using a single pfSense. The server uses the pfSense as a Gateway.

      When both ISPs are online:
      NAT from WAN -> Private IP: Works Fine
      NAT from WAN2 -> Private IP: Works Fine

      When WAN2 is offline:
      NAT from WAN -> Private IP: Works Fine
      NAT from WAN2 -> Private IP: N/A

      When WAN is offline:
      NAT from WAN -> Private IP: N/A
      NAT from WAN2 -> Private IP: Doesn't work

      This behavior is also noticed when I power on pfSense with just the WAN2 connected.
      However, as soon as WAN comes back online, WAN2 NAT works fine as before.

      I have checked the rules and they seem fine. On the Firewall, when the WAN is offline, as I use the WAN2 IP to connect to any resource from an external network, I can see the entries for the connection in the firewall logs. however, I don't see a connection on the server. For some reason, the request isn't being passed on to the server. However, once the WAN is online again, this works flawlessly.

      Not sure where I need to look to check why does the firewall behave like this?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Post your port forwards and WAN/WAN2 rules.

        It doesn't do what you think it is doing. You have something configured wrong. Inbound traffic is not the same as policy routing outbound traffic to gateway groups.

        1 Reply Last reply Reply Quote 0
        • S
          sandeepl last edited by

          Rules attached, not customized any Advanced settings, all are defaults.

          Thanks!

          ![NAT rules.png](/public/imported_attachments/1/NAT rules.png)
          ![NAT rules.png_thumb](/public/imported_attachments/1/NAT rules.png_thumb)
          ![WAN Rules.png](/public/imported_attachments/1/WAN Rules.png)
          ![WAN Rules.png_thumb](/public/imported_attachments/1/WAN Rules.png_thumb)
          ![WAN2 Rules.png](/public/imported_attachments/1/WAN2 Rules.png)
          ![WAN2 Rules.png_thumb](/public/imported_attachments/1/WAN2 Rules.png_thumb)

          1 Reply Last reply Reply Quote 0
          • Derelict
            Derelict LAYER 8 Netgate last edited by

            That looks fine. Those will be completely independent of each other.

            How are you testing? From inside or outside?

            1 Reply Last reply Reply Quote 0
            • S
              sandeepl last edited by

              From outside, using an Amazon server!

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                But HOW are you testing? To an FQDN? To an IP address? Using Curl? what?

                Describe exactly what you are doing.

                When you are testing look at the states. What do you see?

                1 Reply Last reply Reply Quote 0
                • S
                  sandeepl last edited by

                  I'm Testing to the WAN2 IP address, using the browser and hitting on default port 80, below is the state when WAN is offline:
                  WAN2 tcp <amazon server="" ip="">:50663 -> 192.168.0.54:80 (<wan2 ip="" address="">:80) CLOSED:SYN_SENT 3 / 0 152 B / 0 B
                  LAN tcp <amazon server="" ip="">:50663 -> 192.168.0.54:80 ESTABLISHED:SYN_SENT 4 / 1 232 B / 52 B

                  When WAN is online:
                  WAN2 tcp <amazon server="" ip="">:50666 -> 192.168.0.54:80 (<wan2 ip="" address="">:80) TIME_WAIT:TIME_WAIT 6 / 5 521 B / 650 B
                  LAN tcp <amazon server="" ip="">:50666 -> 192.168.0.54:80 TIME_WAIT:TIME_WAIT 6 / 5 521 B / 650 B</amazon></wan2></amazon></amazon></wan2></amazon>

                  1 Reply Last reply Reply Quote 0
                  • S
                    sandeepl last edited by

                    When WAN is online, a refresh:
                    WAN2 tcp <amazon server="" ip="">:50668 -> 192.168.0.54:80 (<wan2 ip="" address="">:80) ESTABLISHED:ESTABLISHED 4 / 3 441 B / 570 B
                    LAN tcp <amazon server="" ip="">:50668 -> 192.168.0.54:80 ESTABLISHED:ESTABLISHED 4 / 3 441 B / 570 B</amazon></wan2></amazon>

                    1 Reply Last reply Reply Quote 0
                    • S
                      sandeepl last edited by

                      I'm also monitoring the logs on the http server, I see a proper request when the WAN interface is online, however, no entries whenever the WAN interface is down.

                      1 Reply Last reply Reply Quote 0
                      • Derelict
                        Derelict LAYER 8 Netgate last edited by

                        Is there something else required on the server that might not be working when WAN is offline, like DNS resolution?

                        You can plainly see that the port forward is working and traffic coming back from the server isn't being received.

                        Packet capture both tests on the LAN interface and see what's really happening there.

                        1 Reply Last reply Reply Quote 0
                        • S
                          sandeepl last edited by

                          Attaching a snip of the capture, for when the request fails. The only thing that is changing during this is that of the WAN interface being offline.

                          [WAN Down.txt](/public/imported_attachments/1/WAN Down.txt)

                          1 Reply Last reply Reply Quote 0
                          • S
                            sandeepl last edited by

                            Strange though, I'm able to recreate this issue also on another box with the latest version of pfSense. I made the WAN2 as WAN on the new box, and the NAT stopped working for the new WAN2 on the new box as soon as the WAN interface went down.

                            1 Reply Last reply Reply Quote 0
                            • S
                              sandeepl last edited by

                              Another observation, If I set the WAN2 network as default gateway, though the WAN interface would be offline, the NAT works properly.

                              1 Reply Last reply Reply Quote 0
                              • S
                                sandeepl last edited by

                                The issue has been resolved, I went ahead and enabled the setting "Default gateway switching", based on my last observation.
                                Now in-spite of the WAN interface going offline the NAT works.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post

                                Products

                                • Platform Overview
                                • TNSR
                                • pfSense
                                • Appliances

                                Services

                                • Training
                                • Professional Services

                                Support

                                • Subscription Plans
                                • Contact Support
                                • Product Lifecycle
                                • Documentation

                                News

                                • Media Coverage
                                • Press
                                • Events

                                Resources

                                • Blog
                                • FAQ
                                • Find a Partner
                                • Resource Library
                                • Security Information

                                Company

                                • About Us
                                • Careers
                                • Partners
                                • Contact Us
                                • Legal
                                Our Mission

                                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                Subscribe to our Newsletter

                                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                © 2021 Rubicon Communications, LLC | Privacy Policy