Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi wan and right interface to use

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 570 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mmangiante
      last edited by

      Hello,

      I have a previous setup of Pfsense with a only wan (in carp), so I have:

      pfs1 wan ip: 93.145.101.15
      pfs2 wan ip: 93.145.101.16
      pfs wan vip: 93.145.101.14

      I have a main vlan: 192.168.0.0/24 and the address on Pfsense are:

      pfs1 lan ip: 192.168.0.31
      pfs2 lan ip: 192.168.0.32
      pfs lan vip: 192.168.0.30

      In the network, down to the 2 firewalls, there are 2 main switches with L3 routing configured and in hsrp:

      swi1 ip: 192.168.0.3
      swi2 ip: 192.168.0.2
      swi vip: 192.168.0.1

      There is a route like this: 0.0.0.0 0.0.0.0 192.168.0.30

      Now I have a second vlan that I need that route on a second wan; as for the first, there is an hsrp configuration on the switch:

      swi1 vlan7: 192.168.7.7
      swi2 vlan7: 192.168.7.8
      swi vip: 192.168.7.254

      To satisfy my need, I created a second wan on Pfsense, as the first in carp configuration:

      pfs1 wan2 ip: 88.45.191.138
      pfs2 wan2 ip: 88.45.191.139
      pfs wan2 vip: 88.45.191.140

      To work with the second wan and have the vlan7 that route all its traffic on that, I created on pfsense:

      • a gateway for wan 2: 88.45.191.129
      • a static route for vlan 7: 192.168.7.0/24 via 192.168.0.1
      • a rule, on Pfsense lan interface, to pass packets to 192.168.7.0/24
      • a rule, on Pfsense wan2 interface, to pass packets to 192.168.7.0/24
      • a rule on NAT outbound, and used wan interface, source 192.168.7.0/24 and NAT address 88.45.191.140

      If I use this configuration and then do a traceroute, I correctly see the packets that passes on swi1 pfs1 and then it flows on 88.45.191.129 path.
      If I choose wan2 on NAT outbound it doesn't work.

      Could you help me to understand this behavior? Where is my mistake in configuration?

      Thanks.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Outbound NAT does not route traffic. It only determines what NAT happens when matching traffic flows out an interface.

        You will probably want to look at Policy-Based Routing. You likely need rules on LAN that set a gateway to the WAN2_GW for traffic sourced from 192.168.7.0/24.

        https://www.netgate.com/docs/pfsense/book/multiwan/index.html

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • M Offline
          mmangiante
          last edited by

          Hello,

          thanks to fill my great ignorance; with your help I resolved the issue.
          Now I have this in the rule for LAN interface:

          0_1535450259748_pfsense_rule_1.png

          and on the outbound NAT I set the correct interface:

          0_1535450301470_pfsense_rule_2.png

          But now please you can explain something about that?
          The first thing is how I can go out via the 88.45.191.140 path even if I am on the WAN interface; or better, when I do traceroute I see that correctly I go out through the "desired" path and not that it is of default.
          The second question if about the starting path, i.e.: with the configuration that I have done initially I've seen that the flow is:

          • 192.168.0.3 (swi1)
          • 192.168.0.31 (pfs1)
          • network desired hop

          while now with the correct gateway setup on lan->net 7 rule I see only

          • 192.168.7.7 (swi1 address hsrp for net 7)
            *network desired hop

          so it seems that the pfsense is not engaged.

          Thanks.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.