Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1 WAN w/multi internal GWs

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 2 Posters 651 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      theflu
      last edited by

      I don't if this should be posted here on in NAT, please move if needed.

      I have 2 static IPs from my ISP, what I would like to do is have 2 internal gateways on my LAN say 10.1.0.1 and 10.1.0.2. Depending on what GW the clients are set to they would have one or the other static external IPs. I also would port forwardint o work with this, so could have port 8080 forwarded on both external IPs but they would go to different interal IPs.

      WAN_IP_1 <–> LAN_GW_1 (10.1.0.1) <--> Clients
      WAN_IP_2 <--> LAN_GW_2 (10.1.0.2) <--> Clients

      I created a virtual IP alias for the 2nd external on the WAN interface. Did the same for 10.1.0.2 on the LAN interface and setup 1:1 NAT between the 2. All the traffic is still using the first external IP.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        There isn't any way for the firewall to know which address on the LAN interface the inside host used as its gateway address. That information is not included in the packet. It all looks the same to the router.

        You could, however, put certain hosts in certain LAN address ranges and set the outbound NAT address based on the source addresses.

        The port forwarding you can do without doing anything special. Just make two port forwards. One with one WAN addresses as the Dest address and the desired inside NAT address, then the same with the other.

        I don't see any use case for 1:1 NAT here unless you're only talking about two inside hosts.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          theflu
          last edited by

          First off, thank you.

          I got this to work with the steps below:
          1. Add the 2nd WAN IP as a Alias to the WAN interface
          2. Set outbound NAT to manual
          3. Create a outbound NAT rule make specific client IPs use the 2nd WAN IP
              Interface: WAN
              Source: 10.1.0.100/32
              Translation>Address: 2nd WAN IP
          4. Reboot pfSense

          Issued I had:
          1. Couldn't specify a specific range. Had to use Bits.
          2. The changes wouldn't take effect until I rebooted the firewall. It was still using the the original IP after the rules applied. I even tried clearing all the states and that didn't work.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Yeah you don't have to reboot for that. Not sure what you were seeing.

            You could make a host alias using and address range and use that for the source address but it is generally better to just do things like that within specific subnets so you can just use a CIDR netmask in one rule.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              theflu
              last edited by

              I created the host alias for the range I wanted but when I am creating the outbound NAT entry the only options for source are Any, This Firewall or Network.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Use network and put the alias in the network field.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.