Dual WAN - Port Forwarding - Policy Routing for Internet


  • Hello everyone and happy new year,

    I'm new to networking and pfSense trying to implement the following schematic with 3 kinds of different devices on LAN:

    A. Device like 192.168.1.10 - able to reply to port forward service 2404 to both WAN's - reply to the WAN that took the request from. Default Internet WAN1.
    B. Device like 192.168.1.20 - able to reply to port forward service 182 to both WAN's - reply to the WAN that took the request from. Default Internet WAN2.
    C. Simple LAN devices, default Internet WAN2.

    To be more simple i think is better to follow a schematic like that, having both WAN's and the LAN to one firewall and have single gateway on LAN.
    PV_Plant2.png
    Can anyone give me some tips how i can set the different priorities to achieve something like that ?

    For example, in System-> Routing there is default gateway option or automatic. If i set there default gateway, what does this mean ? Is it priority one and always respected?
    Then if i add a firewall rule to LAN, so a device have to reply using WAN1, does this mean that port forwarding will not respected if requested from WAN2?
    In NAT Port forward section, there advanced -> and then Gateway selection. Is this only for the port forward overriding the default gateway ?
    Also what about static routing and outbound... ? So many settings i don't know what is prioritized for each interface even i saw the documentation for these topics.

    Any help and guideline will be much appreciated. Thank you.


  • @bambos
    Please read the Gateway Settings, Gateway Groups and Multiple WAN part of the doc at first:
    https://docs.netgate.com/pfsense/en/latest/routing/gateway-configure.html
    https://docs.netgate.com/pfsense/en/latest/routing/gateway-groups.html
    https://docs.netgate.com/pfsense/en/latest/multiwan/index.html

    Come back after if you have further questions.


  • @viragomann Hello Sir, and thanks for the links.
    I have already run through them several times the last 5 days.

    I'm aware about gateway configuration.
    I'm aware about the gateway groups for failover and balancing, but my case is none of them.

    This scenario is simultaneously dual WAN port forwarding from both Wan's
    Some devices has to use gateway 1, some devices has to use gateway 2.

    To my understanding, port forwarding should work without any settings, as long as reply-to functionality is enabled by default. (under system->advanced->Firewall & NAT)

    Is there any way to handle devices on LAN, using gateway on WAN1, and other devices on LAN using gateway on WAN2 ? (For normal traffic / not port forwarding).

    Thanks for any suggestions.


  • @bambos said in Dual WAN - Port Forwarding - Policy Routing for Internet:

    To my understanding, port forwarding should work without any settings, as long as reply-to functionality is enabled by default. (under system->advanced->Firewall & NAT)

    That's correct. That feature makes sure that responses are send out on the same interface where the request was coming in before, no matter which if it's the default gateway or not.

    @bambos said in Dual WAN - Port Forwarding - Policy Routing for Internet:

    Is there any way to handle devices on LAN, using gateway on WAN1, and other devices on LAN using gateway on WAN2 ? (For normal traffic / not port forwarding).

    This can be done by policy routing rules: https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html

    Group IPs which you want go out on the same interface in an alias and use this one in a pass rule as source. Expand the advanced options in the rule, go down and find the gateway drop-town. Select the proper gateway.
    It's a good advice to have an alias with all RFC1918 networks defined. So you can add this at the destination together with "invert" checked. This avoids this rule to match for local destinations.
    Now you can put this rule to the top of the rule set to ensure it is applied before rules which have any.

    If you want to use both gateways but use one as default, create a gateway group. You can create multiple gateway groups including the same gateway, e.g. one with WAN1 as tier 1 and WAN2 as tier2, and a second group the other way around.

    @bambos said in Dual WAN - Port Forwarding - Policy Routing for Internet:

    If i set there default gateway, what does this mean ?

    The default gateway is use if no gateway or -group is stated, either in policy routing rule or in a static route.

    Ensure that you have outbound NAT rules in place for both WANs.