Multi wan and right interface to use
I have a previous setup of Pfsense with a only wan (in carp), so I have:
pfs1 wan ip: 22.214.171.124
pfs2 wan ip: 126.96.36.199
pfs wan vip: 188.8.131.52
I have a main vlan: 192.168.0.0/24 and the address on Pfsense are:
pfs1 lan ip: 192.168.0.31
pfs2 lan ip: 192.168.0.32
pfs lan vip: 192.168.0.30
In the network, down to the 2 firewalls, there are 2 main switches with L3 routing configured and in hsrp:
swi1 ip: 192.168.0.3
swi2 ip: 192.168.0.2
swi vip: 192.168.0.1
There is a route like this: 0.0.0.0 0.0.0.0 192.168.0.30
Now I have a second vlan that I need that route on a second wan; as for the first, there is an hsrp configuration on the switch:
swi1 vlan7: 192.168.7.7
swi2 vlan7: 192.168.7.8
swi vip: 192.168.7.254
To satisfy my need, I created a second wan on Pfsense, as the first in carp configuration:
pfs1 wan2 ip: 184.108.40.206
pfs2 wan2 ip: 220.127.116.11
pfs wan2 vip: 18.104.22.168
To work with the second wan and have the vlan7 that route all its traffic on that, I created on pfsense:
- a gateway for wan 2: 22.214.171.124
- a static route for vlan 7: 192.168.7.0/24 via 192.168.0.1
- a rule, on Pfsense lan interface, to pass packets to 192.168.7.0/24
- a rule, on Pfsense wan2 interface, to pass packets to 192.168.7.0/24
- a rule on NAT outbound, and used wan interface, source 192.168.7.0/24 and NAT address 126.96.36.199
If I use this configuration and then do a traceroute, I correctly see the packets that passes on swi1 pfs1 and then it flows on 188.8.131.52 path.
If I choose wan2 on NAT outbound it doesn't work.
Could you help me to understand this behavior? Where is my mistake in configuration?
Outbound NAT does not route traffic. It only determines what NAT happens when matching traffic flows out an interface.
You will probably want to look at Policy-Based Routing. You likely need rules on LAN that set a gateway to the WAN2_GW for traffic sourced from 192.168.7.0/24.
thanks to fill my great ignorance; with your help I resolved the issue.
Now I have this in the rule for LAN interface:
and on the outbound NAT I set the correct interface:
But now please you can explain something about that?
The first thing is how I can go out via the 184.108.40.206 path even if I am on the WAN interface; or better, when I do traceroute I see that correctly I go out through the "desired" path and not that it is of default.
The second question if about the starting path, i.e.: with the configuration that I have done initially I've seen that the flow is:
- 192.168.0.3 (swi1)
- 192.168.0.31 (pfs1)
- network desired hop
while now with the correct gateway setup on lan->net 7 rule I see only
- 192.168.7.7 (swi1 address hsrp for net 7)
*network desired hop
so it seems that the pfsense is not engaged.