Post-routing DNAT -- Is it possible on pfSense?



  • I have a pair of cable modems connected to WAN interfaces on pfSense. Because they both use the same management IP for their status pages I cannot reach them both from any of my LAN hosts. 192.168.100.1/24 is a directly connected net to WAN2, but if I force WAN2 down, 192.168.100.1 is reachable on the first WAN interface via the default route.

    It seems to me the only way to make them both reachable would be to destination NAT at least one or both to alternate IP addresses (say 192.168.101.1 and 192.168.101.2) with a static route to force it out the correct interface, so outgoing connections from LAN to WAN or WAN2 would be rewritten post-routing to 192.168.100.1 for the destination "host".

    I attempted to do this, but it seemed rather unreliable when I used a port forward in "reverse" (forward from LAN to WAN2) to make it work. When it did appear to work, it appeared that pfSense would NAT before routing so that the IP was rewritten back to 192.168.100.1 and routing would always send 192.168.100.1 out WAN2 no matter which IP I used because of the directly connected route. The other NAT options (1:1 and Outbound) don't seem to support DNAT at all.

    Now, in iptables, there is a POSTROUTING chain that could be used with a DNAT option to accomplish this. Is there a similar way to do this with pfSense?


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy