Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two WAN ISP's with single inside NAT (sorry if this doubled)

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gnome
      last edited by

      Greetings,

      I currently have a home brew Linux router that I have been using for some time now and would like to retire the "old way" of managing it with something a little new. One reason for this is that I now have two separate Internet connections, each with 6 public IP's; marking the packets and building the separate routing tables within Linux just made things way to complicated and I wasn't able to get it to work "the way I wanted ™". I also have it communicating with an internal VPN router via OSPF via zebra.

      After working on various configs over the last week, reading a dozen 'how-to's and perusing the message board, I think I've got so much going into this it's hard to find out where the problem is located. So, with that said, lets cut to the chase.

      The router has 5 network interfaces: WAN1, WAN2, LAN, DMZ, WIFI
      WAN1 has 3 addresses assigned on it (One to the interface, two virtual network)
      WAN2 has 3 addresses assigned on it (One to the interface, two virtual network)
      LAN has 2 addresses assigned on it (One to the interface, one virtual network) [the virtual is for the OSPF VPN, another challenge later]
      DMZ has 1 address assigned on it (One to the interface)
      WIFI has one address assigned on it (One to the interface)

      I separated all the interfaces out to segregate the kind of traffic that's in use in the network. On the Linux router, there are firewall rules that drive policy of who can see what and when. I saw that pfsense has this capability, which is why I'm using it, however I haven't gone as far as migrating that policy.

      As it is configured now, everyone can route to everyone internally just fine, and out to the Internet. However, Internet traffic does not make it to the inside DMZ network at all. If I sniff on the WAN1/WAN2 interfaces, I see the traffic coming in. Sniffing all the internal interfaces doesn't show it leaving, meaning the pfsense box is blocking it. With that said, I added a final firewall rule to allow all traffic and log it so that if there is an exception that is being missed, a rule could be created for it. The firewall log's do not increase with traffic at this point with outside traffic coming in.

      I've created the port-forwarding rules necessary based on the documentation, and confirmed that the appropriate firewall rules are being written as well. The NAT reflection box is unchecked, and Captive Portal is disabled. I'm sure it's something stupid, but I'm unable to figure this one out. Please help me retire my old Linux router :) hehe

      I've attached the config file; all the details are in it.

      Once I can get the Dual WAN to work, then services re-enabled, I can then focus on the quagga/ospf connection.

      Thanks
      config-core.txt

      1 Reply Last reply Reply Quote 0
      • G
        gnome
        last edited by

        ASCII Art

        WAN1–\              /---DMZ
                    \          /
                    PFSENSE----LAN
                    /         
        WAN2--/              ---WIFI

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.