NAT stops working in Multi WAN when Primary WAN goes down

  • Hi,
    I have two ISPs and both are configured for NAT to a single server using a single pfSense. The server uses the pfSense as a Gateway.

    When both ISPs are online:
    NAT from WAN -> Private IP: Works Fine
    NAT from WAN2 -> Private IP: Works Fine

    When WAN2 is offline:
    NAT from WAN -> Private IP: Works Fine
    NAT from WAN2 -> Private IP: N/A

    When WAN is offline:
    NAT from WAN -> Private IP: N/A
    NAT from WAN2 -> Private IP: Doesn't work

    This behavior is also noticed when I power on pfSense with just the WAN2 connected.
    However, as soon as WAN comes back online, WAN2 NAT works fine as before.

    I have checked the rules and they seem fine. On the Firewall, when the WAN is offline, as I use the WAN2 IP to connect to any resource from an external network, I can see the entries for the connection in the firewall logs. however, I don't see a connection on the server. For some reason, the request isn't being passed on to the server. However, once the WAN is online again, this works flawlessly.

    Not sure where I need to look to check why does the firewall behave like this?

  • LAYER 8 Netgate

    Post your port forwards and WAN/WAN2 rules.

    It doesn't do what you think it is doing. You have something configured wrong. Inbound traffic is not the same as policy routing outbound traffic to gateway groups.

  • Rules attached, not customized any Advanced settings, all are defaults.


    ![NAT rules.png](/public/imported_attachments/1/NAT rules.png)
    ![NAT rules.png_thumb](/public/imported_attachments/1/NAT rules.png_thumb)
    ![WAN Rules.png](/public/imported_attachments/1/WAN Rules.png)
    ![WAN Rules.png_thumb](/public/imported_attachments/1/WAN Rules.png_thumb)
    ![WAN2 Rules.png](/public/imported_attachments/1/WAN2 Rules.png)
    ![WAN2 Rules.png_thumb](/public/imported_attachments/1/WAN2 Rules.png_thumb)

  • LAYER 8 Netgate

    That looks fine. Those will be completely independent of each other.

    How are you testing? From inside or outside?

  • From outside, using an Amazon server!

  • LAYER 8 Netgate

    But HOW are you testing? To an FQDN? To an IP address? Using Curl? what?

    Describe exactly what you are doing.

    When you are testing look at the states. What do you see?

  • I'm Testing to the WAN2 IP address, using the browser and hitting on default port 80, below is the state when WAN is offline:
    WAN2 tcp <amazon server="" ip="">:50663 -> (<wan2 ip="" address="">:80) CLOSED:SYN_SENT 3 / 0 152 B / 0 B
    LAN tcp <amazon server="" ip="">:50663 -> ESTABLISHED:SYN_SENT 4 / 1 232 B / 52 B

    When WAN is online:
    WAN2 tcp <amazon server="" ip="">:50666 -> (<wan2 ip="" address="">:80) TIME_WAIT:TIME_WAIT 6 / 5 521 B / 650 B
    LAN tcp <amazon server="" ip="">:50666 -> TIME_WAIT:TIME_WAIT 6 / 5 521 B / 650 B</amazon></wan2></amazon></amazon></wan2></amazon>

  • When WAN is online, a refresh:
    WAN2 tcp <amazon server="" ip="">:50668 -> (<wan2 ip="" address="">:80) ESTABLISHED:ESTABLISHED 4 / 3 441 B / 570 B
    LAN tcp <amazon server="" ip="">:50668 -> ESTABLISHED:ESTABLISHED 4 / 3 441 B / 570 B</amazon></wan2></amazon>

  • I'm also monitoring the logs on the http server, I see a proper request when the WAN interface is online, however, no entries whenever the WAN interface is down.

  • LAYER 8 Netgate

    Is there something else required on the server that might not be working when WAN is offline, like DNS resolution?

    You can plainly see that the port forward is working and traffic coming back from the server isn't being received.

    Packet capture both tests on the LAN interface and see what's really happening there.

  • Attaching a snip of the capture, for when the request fails. The only thing that is changing during this is that of the WAN interface being offline.

    [WAN Down.txt](/public/imported_attachments/1/WAN Down.txt)

  • Strange though, I'm able to recreate this issue also on another box with the latest version of pfSense. I made the WAN2 as WAN on the new box, and the NAT stopped working for the new WAN2 on the new box as soon as the WAN interface went down.

  • Another observation, If I set the WAN2 network as default gateway, though the WAN interface would be offline, the NAT works properly.

  • The issue has been resolved, I went ahead and enabled the setting "Default gateway switching", based on my last observation.
    Now in-spite of the WAN interface going offline the NAT works.

Log in to reply