Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT stops working in Multi WAN when Primary WAN goes down

    Scheduled Pinned Locked Moved NAT
    14 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sandeepl
      last edited by

      Hi,
      I have two ISPs and both are configured for NAT to a single server using a single pfSense. The server uses the pfSense as a Gateway.

      When both ISPs are online:
      NAT from WAN -> Private IP: Works Fine
      NAT from WAN2 -> Private IP: Works Fine

      When WAN2 is offline:
      NAT from WAN -> Private IP: Works Fine
      NAT from WAN2 -> Private IP: N/A

      When WAN is offline:
      NAT from WAN -> Private IP: N/A
      NAT from WAN2 -> Private IP: Doesn't work

      This behavior is also noticed when I power on pfSense with just the WAN2 connected.
      However, as soon as WAN comes back online, WAN2 NAT works fine as before.

      I have checked the rules and they seem fine. On the Firewall, when the WAN is offline, as I use the WAN2 IP to connect to any resource from an external network, I can see the entries for the connection in the firewall logs. however, I don't see a connection on the server. For some reason, the request isn't being passed on to the server. However, once the WAN is online again, this works flawlessly.

      Not sure where I need to look to check why does the firewall behave like this?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Post your port forwards and WAN/WAN2 rules.

        It doesn't do what you think it is doing. You have something configured wrong. Inbound traffic is not the same as policy routing outbound traffic to gateway groups.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          sandeepl
          last edited by

          Rules attached, not customized any Advanced settings, all are defaults.

          Thanks!

          ![NAT rules.png](/public/imported_attachments/1/NAT rules.png)
          ![NAT rules.png_thumb](/public/imported_attachments/1/NAT rules.png_thumb)
          ![WAN Rules.png](/public/imported_attachments/1/WAN Rules.png)
          ![WAN Rules.png_thumb](/public/imported_attachments/1/WAN Rules.png_thumb)
          ![WAN2 Rules.png](/public/imported_attachments/1/WAN2 Rules.png)
          ![WAN2 Rules.png_thumb](/public/imported_attachments/1/WAN2 Rules.png_thumb)

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            That looks fine. Those will be completely independent of each other.

            How are you testing? From inside or outside?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S
              sandeepl
              last edited by

              From outside, using an Amazon server!

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                But HOW are you testing? To an FQDN? To an IP address? Using Curl? what?

                Describe exactly what you are doing.

                When you are testing look at the states. What do you see?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • S
                  sandeepl
                  last edited by

                  I'm Testing to the WAN2 IP address, using the browser and hitting on default port 80, below is the state when WAN is offline:
                  WAN2 tcp <amazon server="" ip="">:50663 -> 192.168.0.54:80 (<wan2 ip="" address="">:80) CLOSED:SYN_SENT 3 / 0 152 B / 0 B
                  LAN tcp <amazon server="" ip="">:50663 -> 192.168.0.54:80 ESTABLISHED:SYN_SENT 4 / 1 232 B / 52 B

                  When WAN is online:
                  WAN2 tcp <amazon server="" ip="">:50666 -> 192.168.0.54:80 (<wan2 ip="" address="">:80) TIME_WAIT:TIME_WAIT 6 / 5 521 B / 650 B
                  LAN tcp <amazon server="" ip="">:50666 -> 192.168.0.54:80 TIME_WAIT:TIME_WAIT 6 / 5 521 B / 650 B</amazon></wan2></amazon></amazon></wan2></amazon>

                  1 Reply Last reply Reply Quote 0
                  • S
                    sandeepl
                    last edited by

                    When WAN is online, a refresh:
                    WAN2 tcp <amazon server="" ip="">:50668 -> 192.168.0.54:80 (<wan2 ip="" address="">:80) ESTABLISHED:ESTABLISHED 4 / 3 441 B / 570 B
                    LAN tcp <amazon server="" ip="">:50668 -> 192.168.0.54:80 ESTABLISHED:ESTABLISHED 4 / 3 441 B / 570 B</amazon></wan2></amazon>

                    1 Reply Last reply Reply Quote 0
                    • S
                      sandeepl
                      last edited by

                      I'm also monitoring the logs on the http server, I see a proper request when the WAN interface is online, however, no entries whenever the WAN interface is down.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Is there something else required on the server that might not be working when WAN is offline, like DNS resolution?

                        You can plainly see that the port forward is working and traffic coming back from the server isn't being received.

                        Packet capture both tests on the LAN interface and see what's really happening there.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • S
                          sandeepl
                          last edited by

                          Attaching a snip of the capture, for when the request fails. The only thing that is changing during this is that of the WAN interface being offline.

                          [WAN Down.txt](/public/imported_attachments/1/WAN Down.txt)

                          1 Reply Last reply Reply Quote 0
                          • S
                            sandeepl
                            last edited by

                            Strange though, I'm able to recreate this issue also on another box with the latest version of pfSense. I made the WAN2 as WAN on the new box, and the NAT stopped working for the new WAN2 on the new box as soon as the WAN interface went down.

                            1 Reply Last reply Reply Quote 0
                            • S
                              sandeepl
                              last edited by

                              Another observation, If I set the WAN2 network as default gateway, though the WAN interface would be offline, the NAT works properly.

                              1 Reply Last reply Reply Quote 0
                              • S
                                sandeepl
                                last edited by

                                The issue has been resolved, I went ahead and enabled the setting "Default gateway switching", based on my last observation.
                                Now in-spite of the WAN interface going offline the NAT works.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.