MultiWAN pfsense routing
-
Hello... I'm looking for assistance for configuring multiWAN NAT-ting and routing , on the PFsense box.
Not for load balancing or failover.-
Pfsense box has only 1 WAN port, with access to many public static IPs in the same subnet.
-
I want to NAT and route traffic based on the configured LAN VLAN.
-
For eg, native VLAN 1 will NAT and route traffic to 75.90.220.100 for Pfsense box and VLAN 2 will NAT and route traffic to 75.90.220.101 .
Looking for expert help on Pfsense. As the material I found online are for multiWAN failover or load-balancing.
-
-
This isn't "Multi WAN"
This is "Multiple IP address on a Single Interface" (VIP)
Check/Read, the Docs, about VIP's / NAT (AON)
https://docs.netgate.com/pfsense/en/latest/index.html
-
You are right.. Thanks..
From this link, I want to achieve combination of Routed Public IP nd NAT.https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html#figure-multiple-public-ips-singleblock-diagram
Now, if I can find help from someone who can show me, perhaps a detailed document, video, etc.
-
What you're asking about is entirely in the outbound NAT config. There's no routing config required as it's all going via the same gateway.
Switch the outbound NAT mode to Hybrid or Manual. I recommend hybrid as it will still add auto rules for new subnets you might otherwise forget to add yourself.
Add rules for each of the subnets you need and set the required WAN VIP as the translation address instread of the main WAN address.
Steve
-
@stephenw10 Thanks @stephenw10 .... But that never worked. That is why I resorted to these forums. NAT doesn't work for any IPs, other than the bridged ISP router public IP. (These public IPs are in the same subnet on the ISP end, and these IPs are active. I've connected the machines directly to the bridged ISP router.)
-
Perhaps your ISP is doing something stupid like requiring a separate MAC address for each IP address.
Or perhaps you need to create a Virtual IP address on the firewall (Firewall > Virtual IPs) so it knows to respond to ARP requests from the upstream.
-
Yeah if it's setup correctly you should be able to ping out from those VIPs in Diag > Ping. That excludes any NAT issues.
Steve
-
@Derelict thanks.. I have created virtual ip.
I talked to the ISP, and they do dhcp reservation (MAC binding)... Is there any workaround to get around this issue?
-
Not really. They need to figure out that is stupid. It sounds like the service you purchased is locked down to connecting one IP address per MAC address. That is dumb. See if they can give you a proper subnet.
-
Mmm, if you can only use the IPs directly and they require a different MAC for each IP your options are limited.
If you have one or two public IPs there some workarounds you might use but for more than that you will have to bridge the WAN to another interface and use the IPs directly on hosts connected to it. You can still filter traffic to/from them in that scenario.
Steve
-
@stephenw10 yea... They need a Mac for each IP. We have 5 IPs from the same subnet. But I just need 3 public IPs, one being the PFSENSE IP. What's the workaround? The pfsense is bridged to ISP ROUTER.
-
I don't think you can do three. You can add a single interface bridge and set a MAC on that.
You will to bridge it to another interface and use them directly.
Steve
-
Thanks @stephenw10.. Logically speaking, if adding the interface cards for the other connections to connect to the other public IPs, do they leave those connections on the DMZ? Or can I still monitor/control the traffic? Can I interact with that LAN from the other LAN?
Is there a document I can refer to?
-
The only document is probably this:
https://docs.netgate.com/pfsense/en/latest/book/firewall/methods-of-using-additional-public-ip-addresses.html#bridgingYou can still filter the traffic between the actual WAN and the bridged segment even though they are in the same subnet. So you don't have to don't have to have those IPs exposed and you can control what they can connect to.
You can connect to them from the LAN just like any subnet connected to the firewall.Steve
-
Or just get a circuit that is properly-provisioned for your use case.
-
Yeah, do that if it's an option for you. Bridging should always be a last resort.
-
Ok.. I'll give it a try. Thanks guys..
