Port forwarding on a LAGGed WAN interface

  • Hello everyone,

    New user here on the forum, and I'm sorry if this is a stupid question.


    I'm something of an intermediate hobbyist networking guy and I recently discovered my modem (Arris SB8200) has the ability to turn its two ethernet ports into a LAGG. I of course wanted to try it out, and lo and behold it works beautifully... except for one specific caveat.

    I can't access any of the services behind my firewall because the NAT port-forwards I set up aren't working. I've logged into the router through back channel and verified they're still in place and that the firewall rules are still effective (they are) and I am definitely still getting internet on my regular LAN connected devices without trouble.

    I'm sure this is some sort of routing problem with multiple ethernet MACs on the public interface, but I'm not sure how I can fix it.



    Modem: Arris SB8200 (2x GB Ethernet, 1x Coaxial)
    Router: PfSense (4x GB Ethernet [Quotum device])
    Switch: Netgear 16 port PoE, Fully managed


    My setup follows a pretty basic topography. Modem is at the top receiving a single public IP address from my ISP, it passes traffic between itself and the WAN of my PfSense router, which passes traffic between itself and the switch (to which all the rest of my LAN segments are connected, either physically or virtually from a Hypervisor).


    All relevant connections are LAGGs. From the modem to the router, the router to the switch, and the switch to my hypervisors (running services, etc.)

    Modem <-> Router 2x Ethernet ports in LACP
    Router <-> Switch 2x Ethernet ports in Round-Robin
    Switch <-> Hypervisor 2x Ethernet ports in Round-Robin

    I can't reach any services that rely on NAT from inside or outside the network. Get a "No route to host" error on either side for SSH(port 22) or anything else.

    Any help or suggestions are appreciated

  • LAYER 8 Netgate

    @mstaffa81 Port forwarding on a lagg is no different that port forwarding on a single, non-aggregated interface.

    Unless there is something that doesn't work correctly in the upstream device.

    You didn't post any specifics as to what, exactly, you have done.

  • @derelict Dumb fix fixed it, had to remake the NAT rules for whatever reason.