Outbound NAT problem on Multi WAN setup



  • Hi,
    about our setup: HA-Cluster with pfSense 2.4.3 and 2 wan interfaces, one main line and one failover line. For the main wan interface we have an IP subnet of 8 addresses for the failover wan we now have received one fixed ip. Setup works fine but now we have one problem: the mailserver in the dmz has an outbound nat rule for one of the ip addresses of main line which means with the main line the mailserver goes down. We´ve the external dns entries changed so the server can be reached on both wan interfaces and now the last thing we´re struggling with is how to disable the outbound nat rule when the main wan goes down so the server uses the failover path. Or must the setup be changed to an 1:1 nating on both WAN interfaces?
    Best regards,
    Mike


  • Rebel Alliance Developer Netgate

    Outbound NAT doesn't control how traffic exits the firewall, it only controls what happens as the packets leave. It's not 100% clear based on the description but it sounds more like you need to (a) make sure you have outbound NAT setup for the mail server on both WANs to map to its correct address, and (b) have a policy routing rule in place on the DMZ using a failover gateway group so that when WAN is down, the mail server traffic exits WAN.

    Inbound mail server traffic should work from both WANs at all times, assuming your WAN, DNS, and NAT setup is correct.



  • @jimp Sorry for being so unclear in my description of the setup. The main WAN has 4 IPs: 1.1.1.1 1.1.1.2 1.1.1.3 and 1.1.1.4 while the failover line has only one IP 2.2.2.1. In inbound NAT is no problem. On the outbound nat there is this rule:
    0_1533367809052_outboundnat.jpg
    What I need is to disable this rule when the main WAN interface goes down so the mailserver can send out mails through the backup WAN with the ip 2.2.2.1.

    Best regards,

    Mike


  • Rebel Alliance Developer Netgate

    You do not need to disable any outbound NAT. If the traffic from the mail server leaves WAN2 (or whatever your failover WAN is called), it will not hit NAT rules on WAN, only NAT rules on WAN2.