Multi-WAN, Multi-LAN, no failover, cross communication issues over WAN



  • So currently my pfsense box is set up with two WAN's and two LAN's (WAN1 -> LAN1, WAN2 -> LAN2)

    Both WAN's and LAN's work to the point where I am able to connect to the internet, and both are separate so one LAN cannot communicate with the other. LAN1 is meant as my private, closed network, and LAN2 is meant for hosting a development server.

    My current issue is as follows:

    While connected to LAN1, I am not able to communicate with the server on LAN2 through the WAN2 address, despite correct port forwarding, and the server being accessible to any other external connection not through pfsense on LAN1. I have tested the following and it works:

    • Connect directly to WAN1 outside of pfsense, I can now communicate with the server through the WAN2 address.
    • Connect the server directly to WAN2 outside of pfsense, I can now communicate with the server through LAN1 on the WAN2 address.

    I have gone through the NAT and firewall rules multiple times, and I cannot see anything obviously wrong, as connecting to the server works perfectly fine from any other external connection.

    The strangest part about this, is when I check the firewall logs from an external connection, I can see the communication hitting the firewall and being passed through. However it does NOT show any traffic from my WAN1 IP address hitting the WAN2 interface as long as the traffic is routed through pfsense. If I connect directly to WAN1 outside of pfsense however, it works perfectly fine.

    Before it is mentioned, I cannot open communication between LAN1 and LAN2 and connect to the server this way using the servers LAN IP, as our application connects to the server through a separate connection broker on a different remote server, and hands my software client the WAN2 address to connect to the server.


  • Netgate

    When you are using NAT reflection to access an inside server from an inside host connecting to the server's outside address, you must pass traffic to the server's inside address.

    This is no different than passing the inside address on WAN for a port forward. First NAT happens then the firewall rules are checked.

    So if the LAN1 rules block all traffic to LAN2, the server - post NAT - will also be blocked.

    Pass the necessary traffic to the LAN2 server using LAN1 rules then block anything else to LAN2.



  • Okay, thanks a lot for your answer! I did some more testing, and while I might be further along, I'm not yet there. The changes I have now done:

    While testing, I have set the NAT port forward source address to 'any' for the desired connection on incoming traffic on WAN2.
    I have removed the cross-lan blocking in firewall rules on LAN1 and LAN2.

    I am now able to connect to the server using the servers' LAN2 address, but I am still not able to connect to the server using the WAN2 external address, and no connection is showing up in System Logs.

    For now I have just set up a hosts redirect on my workstation, but this is definitely not the most ideal situation, so any other ideas would be greatly appreciated!


  • Netgate

    Did you enable NAT reflection globally or on the port forward itself?



  • Sorry for the late reply, thank you very much for helping! In the end, it ended up being NAT reflection on the port forward being set to default instead of enabled. For whatever reason I assumed that this was on by default, I'll RTFM next time!

    After enabling that, I can now connect to LAN2 properly through LAN1 using the external WAN2 IP!