routing LAN To Virtual IP


  • First of all, I apologize if this issue is basic, but I don't have much experience with configuring networks.

    My LAN (em1) is configured with the IP range 192.168.1.0/24

    I have a WAN1 (em0), with a public ip assigned by DHCP, which is configured and working well.

    Yesterday another WAN2 access was installed, which I am not able to configure correctly.

    Access to WAN2 (em3) has the following data indicated by the operator:

    WAN2 ip (local): 100.64.67.74/30
    WAN2 Remote (gateway I think): 100.64.67.73
    Virtual IP (public IP): 62.28.16.105

    I have the VIRTUAL IP configured in Firewall -> Virtual IPs as "IP Alias"

    Note: the em2 interface is not being used

    When I disable WAN1 and try to reach the internet using WAN2, I can't access anything.

    From the LAN I can ping the IP 100.64.67.74, 100.64.67.73

    I captured some packets on the em3 interface (WAN2) and I can see packets arriving from the internet to the virtual public IP (62.28.16.105)

    But how do I forward traffic from LAN to public IP?


  • @adb You also need nat on new outbound interface, and some rules to send traffic there.


  • @netblues Thanks for your response.
    Yesterday I was trying to configure "Outbound NAT Entry" but I don't know if I have the correct settings.
    Outbound NAT Entry
    If this configuration is correct, all that remains is to configure new routing rules, right?


  • @adb You also need to enable the rule...
    You need routing policy for packets to reach the interface so they can be natted
    Its either rules on your lan interface
    Or static routes (including default gateway change, as a test..)


  • @netblues Thanks, the rule is not active because I had to disable it to have internet but I will activate it to continue testing.
    How do I define the route on the LAN interface so that it is natted?
    I apologize if the question is basic, but I don't really know the answer. I still have a lot to learn about network configuration and specifically how pfsense works


  • @netblues These are the rules I have right now in LAN
    2021-01-14_142452.png


  • To give more context to the settings I have, I leave here some screenshots

    2021-01-14_145806.png

    2021-01-14_145812.png

    2021-01-14_145826.png


  • @adb Since you created a gateway group, you need a rule on your lan to direct traffic to that group and not *, which is the default.


  • @netblues Is that not handled by the "default gateway IPv4" setting? I just double checked a client router with 2 WANs, since I didn't set it up, and all LAN rules use a gateway of * including the default LAN->any.


  • @teamits It will work, since you are redirecting default gw to a group.
    However it is not easy to debug, especially in load balancing scenarios where weights are involved.
    For failover, its much easier.
    With policy routing you have better control of the situation


  • Finally I managed to configure everything and? much simpler than I was thinking.
    I will try to describe all (in fact there are only a few) the configurations I made.

    As I currently have two connections to the internet, I have defined a gateway group wit the name "IPV4_GW_GROUP"
    this gateway group has two internet connections:

    • WAN_MEO_GW
    • WAN_PT_GW

    For this problem, the connection that matters is "WAN_PT_GW" which connects to the interface in "WAN_PT" that we will call WAN2
    The "WAN_PT" interface is configured with "Static IPv4" and the IP is 100.64.67.74

    2021-01-15_132422.png

    Then it was only necessary to configure nat to translate all traffic to my public IP (virtual IP)

    2021-01-15_132737.png


  • @adb Glad it worked for you :)