Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual wan + advanced nat + port forwarding

    Scheduled Pinned Locked Moved Routing and Multi WAN
    13 Posts 3 Posters 6.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mercredi
      last edited by

      Hello!
      first of all sorry for my ugly english. here is my problem:
      couldn't find on this forum exactly my situation. 2 wan / 1 lan, advanced otbound nat through each wan interface for my lan, port forwarding for my mail server. at this moment all outgoing traffic goes through default wan except some networks like 87.103.240.0/20, that are accessible through opt1 (wan2) interface. from my network everything is ok, but any connections, that are made from network on the 2nd wan interface to my first wan interface are couldn't be established. what is the reason?
      i can describe my network more precisely, if its needed… thank you.

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        Why do you want to route incoming at your 2nd WAN out to your 1st WAN? Routing from Internet to Internet? There are default firewallrules blocking traffic of that kind. Maybe I don't get exactly what you are trying to do but atm this setup doesn't make sense to me. Please explain more in detail and describe what you want to achieve with this setup.

        1 Reply Last reply Reply Quote 0
        • M
          Mercredi
          last edited by

          hoba:

          some services, like http or smtp, are published only on first wan interface and are accessible from the entire internet. some users form the networks, to wich i have a static routes through the second interface, wants to access ip of the first wan, to access my server.

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            Should be doable with appropriate advanced outbound nat rules and firewallrules but it's not too easy and too abstract to discuss without details. You should try to understand how outbound NAT works and figure it out yourself.

            1 Reply Last reply Reply Quote 0
            • M
              Mercredi
              last edited by

              hoba: i'm not a dummy :) i understand that it is not so easy. when packets are coming from first interface, why their replies goes through the second interface? i need something like source routing?

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                Normally the state that was generated on establishing the connection should keep track of where the answer should be send. This might not work for active connections like ftp as these connections don't belong to the same state.

                1 Reply Last reply Reply Quote 0
                • M
                  Mercredi
                  last edited by

                  ok, so i have some misconfiguration, yep? may i show you my config file?

                  1 Reply Last reply Reply Quote 0
                  • H
                    hoba
                    last edited by

                    This would need discussing your whole network, IP-Adresses, ranges,…describing in detail how it should work and what exactly you want to do. I think this is beyond the scope of this forum.

                    Set it up simple first, step by step, not starting with the full implementation. This should help you find what is wrong. Also have a look at the states that your forwards create (either at the webgui or even better at the shell running pftop in realtime).

                    1 Reply Last reply Reply Quote 0
                    • M
                      Mercredi
                      last edited by

                      i have very simple network configuration. one primary wan, on wich i publishing my postal services, and one back-up wan, that also connects me directly to domestic adsl-provider, wich brings the leased lines to my branch offices. loadbalance (the way it's implemeted now) isn't working for me. here in russia we still pay for incoming traffic 5-10cc per megabyte, so we have to choose wich line to use mostly, and wich only for failover. i am really waiting for the 1.1 version of pfsense.

                      1 Reply Last reply Reply Quote 0
                      • S
                        sullrich
                        last edited by

                        You will be waiting for quite a while considering 1.0 is not even out yet.

                        1 Reply Last reply Reply Quote 0
                        • M
                          Mercredi
                          last edited by

                          i'll be a beta tester for failover (not carp) function, if it's possible. thinking on the ways i can support your project, here in russia, siberia, or just at the novosibirsk city.

                          anybody can solve my problem, that i described before, for some money? i forgot i have only roubles. i would try to reconfigure my installation by myself, but i think i didn't made any mistakes there…

                          1 Reply Last reply Reply Quote 0
                          • M
                            Mercredi
                            last edited by

                            hoba: while i have static route to 87.103.240.0/20 through the second wan interface, there is no way to connect from this network (87.103.240.0/20) to the first wan iterface ip-address. once i delete the static route - everything is allright, but how to route my lan's traffic, that is more suitable to be routed trough the second interface? oh-oh…

                            1 Reply Last reply Reply Quote 0
                            • H
                              hoba
                              last edited by

                              You don't need routes for directly connected subnets of the pfSense. Just create a pass firewallrule for traffic with destination this subnet with the gateway set to this WAN.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.