1 WAN w/multi internal GWs

  • I don't if this should be posted here on in NAT, please move if needed.

    I have 2 static IPs from my ISP, what I would like to do is have 2 internal gateways on my LAN say and Depending on what GW the clients are set to they would have one or the other static external IPs. I also would port forwardint o work with this, so could have port 8080 forwarded on both external IPs but they would go to different interal IPs.

    WAN_IP_1 <–> LAN_GW_1 ( <--> Clients
    WAN_IP_2 <--> LAN_GW_2 ( <--> Clients

    I created a virtual IP alias for the 2nd external on the WAN interface. Did the same for on the LAN interface and setup 1:1 NAT between the 2. All the traffic is still using the first external IP.

  • LAYER 8 Netgate

    There isn't any way for the firewall to know which address on the LAN interface the inside host used as its gateway address. That information is not included in the packet. It all looks the same to the router.

    You could, however, put certain hosts in certain LAN address ranges and set the outbound NAT address based on the source addresses.

    The port forwarding you can do without doing anything special. Just make two port forwards. One with one WAN addresses as the Dest address and the desired inside NAT address, then the same with the other.

    I don't see any use case for 1:1 NAT here unless you're only talking about two inside hosts.

  • First off, thank you.

    I got this to work with the steps below:
    1. Add the 2nd WAN IP as a Alias to the WAN interface
    2. Set outbound NAT to manual
    3. Create a outbound NAT rule make specific client IPs use the 2nd WAN IP
        Interface: WAN
        Translation>Address: 2nd WAN IP
    4. Reboot pfSense

    Issued I had:
    1. Couldn't specify a specific range. Had to use Bits.
    2. The changes wouldn't take effect until I rebooted the firewall. It was still using the the original IP after the rules applied. I even tried clearing all the states and that didn't work.

  • LAYER 8 Netgate

    Yeah you don't have to reboot for that. Not sure what you were seeing.

    You could make a host alias using and address range and use that for the source address but it is generally better to just do things like that within specific subnets so you can just use a CIDR netmask in one rule.

  • I created the host alias for the range I wanted but when I am creating the outbound NAT entry the only options for source are Any, This Firewall or Network.

  • LAYER 8 Netgate

    Use network and put the alias in the network field.

Log in to reply