Failover 1:1 NAT



  • I have a PFsense 2.4.2 VM connected to 2 VDSL lines using PPoE modems and /29 IP ranges.
    WAN 1 X.X.88.0-7 with 1-6 usable. The router is .1.
    WAN 2 Y.Y.71.144- 151 with 145-150 usable. The router is .145.

    Inside the firewall, I have an email server. Inbound connections and general traffic come in through WAN 1 which has an unlimited data allowance. SMTP uses WAN 2 which is a more expensive service which has a data limit.

    I have a 1:1 NAT for Y.Y.71.146 which is there to ensure SMTP traffic uses that IP which has reverse lookup.

    This all works fine until the WAN2 loses connection which does not often happen, however, when it does PFsense starts sending the outbound SMTP out of the WAN 1, X.X.88.1 address. This address does not have an appropriate reverse lookup which caused lots of bounced emails.
    Effectively if WAN 2 fails, PFsense ignores the 1:1 NAT and sends the traffic out of the first address on WAN 1.

    What I want to achieve is if WAN 2 fails the emails rather than going out of X.X.88.1 go out of X.X.88.4 which does have reverse lookup. Failing that I would rather SMTP did not go out at all until WAN 2 is fixed or I manually changed the 1:1 NAT to use X.X.88.4.

    The ISP for WAN 1 won't allow me to add reverse lookup on the X.X.88.1 address without the forward lookup in place and that means some downtime. The reason I have to use the WAN2 circuit is a major institution won't accept email from the WAN 1 range of IP addresses, and because they are huge, they are inflexible at resolving that issue. It is not on any blacklist.



  • @lazyterrier said in Failover 1:1 NAT:

    What I want to achieve is if WAN 2 fails the emails rather than going out of X.X.88.1 go out of X.X.88.4 which does have reverse lookup.

    Just set up an outbound NAT rule on WAN1 and X.X.88.4 as translation address.

    If you want to prevent the SMTP server to go out to WAN1 if WAN2 is down, add a policy routing rule for the outbound and state the WAN2 gateway.



  • @viragomann Thanks for the reply. Would having an outbound NAT rule for smtp not conflict with the existing 1:1 NAT rule. Normally the outbound traffic from the email server uses this 1:1 rule and goes out of WAN 2, if I add a outbound NAT rule surely all smtp traffic would use it and go out of WAN 1.



  • Yor 1:1 NAT rule is applied to WAN2, the suggested outbound NAT rule to WAN1. As long as the rules are applied to different interfaces there will be no conflicts.

    The NAT rules do not direct traffic to an interface.
    How do you direct the SMTP outbound traffic to WAN2? Is it just the default gateway?


  • LAYER 8 Netgate

    @lazyterrier said in Failover 1:1 NAT:

    What I want to achieve is if WAN 2 fails the emails rather than going out of X.X.88.1 go out of X.X.88.4 which does have reverse lookup.

    Just set up an outbound NAT rule on WAN1 and X.X.88.4 as translation address.

    If you want to prevent the SMTP server to go out to WAN1 if WAN2 is down, add a policy routing rule for the outbound and state the WAN2 gateway.

    That is not necessarily true. The default behavior is to remove the gateway from the rule and reapply, which will result in the traffic going out WAN1 (presuming WAN1 is the default gateway). You can set the skip rules on gateway failure checkbox but that applies to every policy routing rule everywhere. And you still have to explicitly block the traffic in question in a later rule or it will probably be matched by a pass any rule further down.

    I would make a gateway group specifically for SMTP with WAN2 then WAN1.

    I would set outbound NAT (or 1:1) on both WAN interfaces for the SMTP source address to something on each WAN that has the DNS records you need.

    Else I would policy route out WAN2 and, on that policy routing rule, set a tag to something like "NO_WAN1_EGRESS" and reject traffic with that tag outbound on WAN1.


Log in to reply