Multi WAN - Multiple Public Subnets
-
I have two WAN connections each with routed public subnets going into one pfSense router. For example:
WAN1 is 12.1.1.2/27 with Gateway 12.1.1.1 (This is configured as the default gateway)
WAN2 is 67.1.1.2/28 with Gateway 67.1.1.1
LAN is 10.1.1.1/28 connected to another router at 10.1.1.2. Both of the following subnets are static routed to other router at 10.1.1.2.
From WAN1 provider I have subnet 70.1.0.0/22 routed to 12.1.1.2
From WAN2 provider I have subnet 67.1.2.0/24 routed to 67.1.1.2
I have a DMZ addressed 70.1.0.0/23 and can reach the internet from it and can reach it from the internet
I have a second DMZ addressed 67.1.2.0/24 and a rule on the LAN interface of the pfSense router that if source address is 67.1.2.0/24 to use WAN2 Gateway.
I can reach the internet from the second DMZ without issue, but I cannot reach the second DMZ from the internet. I can see the inbound traffic making it to the router connected to the pfSense LAN interface, but I'm guessing that the return traffic is being sent to the default gateway on WAN1 instead of the WAN2 gateway.
Also, I cannot ping the WAN2 IP address of the pfSense router from the internet (appears again that the response is going to the WAN1 gateway.)
Is there a way to make any established connections that originate from WAN2 respond on WAN2? or am I overlooking something?
Thanks
-
Draw a real diagram.
After that, instead of using trouble descriptions like this:
I can reach the internet from the second DMZ without issue, but I cannot reach the second DMZ from the internet. I can see the inbound traffic making it to the router connected to the pfSense LAN interface, but I'm guessing that the return traffic is being sent to the default gateway on WAN1 instead of the WAN2 gateway.
Also, I cannot ping the WAN2 IP address of the pfSense router from the internet (appears again that the response is going to the WAN1 gateway.)
Use real source and destination addresses so people don't have to guess at what you're talking about.
-
Attached a real diagram.
I cannot reach 67.1.1.2 from 107.77.199.54 (internet)
I can reach 12.1.1.2 from 107.77.199.54
If I change WAN2 Gateway (67.1.1.1) to be the default gateway, then I can reach 67.1.1.2 but then cannot reach 12.1.1.2
Hopefully that helps
-
Do you have gateways assigned on both WAN interfaces?
-
Yes:
WAN 1 has gateway of 12.1.1.1
WAN 2 has gateway of 67.1.1.1
-
Then it should be working. You'll have to post the interface configurations and the firewall rules on the WANs at least.
When an interface has a gateway on it, it gets both reply-to and route-to applied to direct traffic back out the interface it came in on regardless of the default gateway. If that is not happening something else is configured incorrectly.
-
That's what I thought.
I'll have to check our policies before posting the configs.
Thanks again for your help
-
You got me on the right track.. found under System->Advanced the disable reply-to setting was selected. Removing that fixed my issue.
Thanks again!
-
Pretty obscure checkbox to have been checked.
Glad you found it.
