Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi WAN - Multiple Public Subnets

    Scheduled Pinned Locked Moved Routing and Multi WAN
    9 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      namstor
      last edited by

      I have two WAN connections each with routed public subnets going into one pfSense router.  For example:

      WAN1 is 12.1.1.2/27 with Gateway 12.1.1.1 (This is configured as the default gateway)

      WAN2 is 67.1.1.2/28 with Gateway 67.1.1.1

      LAN is 10.1.1.1/28 connected to another router at 10.1.1.2.  Both of the following subnets are static routed to other router at 10.1.1.2.

      From WAN1 provider I have subnet 70.1.0.0/22 routed to 12.1.1.2

      From WAN2 provider I have subnet 67.1.2.0/24 routed to 67.1.1.2

      I have a DMZ addressed 70.1.0.0/23 and can reach the internet from it and can reach it from the internet

      I have a second DMZ addressed 67.1.2.0/24 and a rule on the LAN interface of the pfSense router that if source address is 67.1.2.0/24 to use WAN2 Gateway.

      I can reach the internet from the second DMZ without issue, but I cannot reach the second DMZ from the internet.  I can see the inbound traffic making it to the router connected to the pfSense LAN interface, but I'm guessing that the return traffic is being sent to the default gateway on WAN1 instead of the WAN2 gateway.

      Also, I cannot ping the WAN2 IP address of the pfSense router from the internet (appears again that the response is going to the WAN1 gateway.)

      Is there a way to make any established connections that originate from WAN2 respond on WAN2? or am I overlooking something?

      Thanks

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Draw a real diagram.

        After that, instead of using trouble descriptions like this:

        I can reach the internet from the second DMZ without issue, but I cannot reach the second DMZ from the internet.  I can see the inbound traffic making it to the router connected to the pfSense LAN interface, but I'm guessing that the return traffic is being sent to the default gateway on WAN1 instead of the WAN2 gateway.

        Also, I cannot ping the WAN2 IP address of the pfSense router from the internet (appears again that the response is going to the WAN1 gateway.)

        Use real source and destination addresses so people don't have to guess at what you're talking about.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • N
          namstor
          last edited by

          Attached a real diagram.

          I cannot reach 67.1.1.2 from 107.77.199.54 (internet)

          I can reach 12.1.1.2 from 107.77.199.54

          If I change WAN2 Gateway (67.1.1.1) to be the default gateway, then I can reach 67.1.1.2 but then cannot reach 12.1.1.2

          Hopefully that helps

          real_diagram.png
          real_diagram.png_thumb

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Do you have gateways assigned on both WAN interfaces?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • N
              namstor
              last edited by

              Yes:

              WAN 1 has gateway of 12.1.1.1

              WAN 2 has gateway of 67.1.1.1

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Then it should be working. You'll have to post the interface configurations and the firewall rules on the WANs at least.

                When an interface has a gateway on it, it gets both reply-to and route-to applied to direct traffic back out the interface it came in on regardless of the default gateway. If that is not happening something else is configured incorrectly.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • N
                  namstor
                  last edited by

                  That's what I thought.

                  I'll have to check our policies before posting the configs.

                  Thanks again for your help

                  1 Reply Last reply Reply Quote 0
                  • N
                    namstor
                    last edited by

                    You got me on the right track.. found under System->Advanced the disable reply-to setting was selected.  Removing that fixed my issue.

                    Thanks again!

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      Pretty obscure checkbox to have been checked.

                      Glad you found it.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.