Multi wan and right interface to use

  • Hello,

    I have a previous setup of Pfsense with a only wan (in carp), so I have:

    pfs1 wan ip:
    pfs2 wan ip:
    pfs wan vip:

    I have a main vlan: and the address on Pfsense are:

    pfs1 lan ip:
    pfs2 lan ip:
    pfs lan vip:

    In the network, down to the 2 firewalls, there are 2 main switches with L3 routing configured and in hsrp:

    swi1 ip:
    swi2 ip:
    swi vip:

    There is a route like this:

    Now I have a second vlan that I need that route on a second wan; as for the first, there is an hsrp configuration on the switch:

    swi1 vlan7:
    swi2 vlan7:
    swi vip:

    To satisfy my need, I created a second wan on Pfsense, as the first in carp configuration:

    pfs1 wan2 ip:
    pfs2 wan2 ip:
    pfs wan2 vip:

    To work with the second wan and have the vlan7 that route all its traffic on that, I created on pfsense:

    • a gateway for wan 2:
    • a static route for vlan 7: via
    • a rule, on Pfsense lan interface, to pass packets to
    • a rule, on Pfsense wan2 interface, to pass packets to
    • a rule on NAT outbound, and used wan interface, source and NAT address

    If I use this configuration and then do a traceroute, I correctly see the packets that passes on swi1 pfs1 and then it flows on path.
    If I choose wan2 on NAT outbound it doesn't work.

    Could you help me to understand this behavior? Where is my mistake in configuration?


  • LAYER 8 Netgate

    Outbound NAT does not route traffic. It only determines what NAT happens when matching traffic flows out an interface.

    You will probably want to look at Policy-Based Routing. You likely need rules on LAN that set a gateway to the WAN2_GW for traffic sourced from

  • Hello,

    thanks to fill my great ignorance; with your help I resolved the issue.
    Now I have this in the rule for LAN interface:


    and on the outbound NAT I set the correct interface:


    But now please you can explain something about that?
    The first thing is how I can go out via the path even if I am on the WAN interface; or better, when I do traceroute I see that correctly I go out through the "desired" path and not that it is of default.
    The second question if about the starting path, i.e.: with the configuration that I have done initially I've seen that the flow is:

    • (swi1)
    • (pfs1)
    • network desired hop

    while now with the correct gateway setup on lan->net 7 rule I see only

    • (swi1 address hsrp for net 7)
      *network desired hop

    so it seems that the pfsense is not engaged.


Log in to reply