Question about Nat 1:1 and external IP
I have an HA setup with 2 WAN interfaces and 3 Local Networks.
Machines on my DMZ network have NAT 1:1 binding. Most of them are on the first WAN, now I got some new machines and I'm assigning IP's from the second WAN to these.
So I've added the config for 1:1 nat, selected the interface WAN2 and enabled NAT Reflection. However, when I call out, it always goes with the default pfsense CARP IP from WAN 1 instead of with the assigned IP from WAN2. What am I missing? Thanks!
The traffic is going out accordingly to the routing table. So it will be directed to WAN1, since that's your default gateway.
If you want direct certain machines out another route you have to set up policy routing rules for it.
Recently explained how to do this in another thread:
Hi there mate and thank you for your reply. Honestly I had seen that thread before but I don't see it fit as a solution for my issue.
I have the rules on Outbound Nat set correctly but these rules are respective to the CARP outbound nat when using interface WAN1 or WAN2, since I have the WAN2 interface selected on the 1:1 NAT then in last resort should be going through that interface CARP address. I actually reviewed them just in case, and the pfSense documentation is clear about how NAT 1:1 works:
Netgate Docs - Network Address Translation - NAT 1:1
Quoting from the article:
- All traffic originating from that private IPv4 address going to the Internet will be mapped by 1:1 NAT to the public IPv4 address defined in the entry, overriding the Outbound NAT configuration.
This is literally on the first paragraph. So, unless this is broken or the feature doesn't work correctly, I don't see why I would have to add "policy routing". (I'm sorry but I like things both lean and simple)
The NAT 1:1 that refer to the WAN1 interface all work well - the outgoing IP is the NAT 1:1 IP, not the WAN1 gateway IP (which is the CARP IP).
Also, when I configured the NAT 1:1 I've set the interface as WAN2, so as last resort it should be sending the traffic through the WAN2 CARP address as I had mentioned above. I mean, the options are there and the configuration is clear. I may have overlooked something, which is why I am here, but if not, then this is a bug.
The outbound NAT rules do only NAT, no other tings and no routing at all.
As I mentioned, basically the upstream traffic is going out accordingly to the routing table. When you want it to go out to another gateway like your WAN2 you have to set a special routing rule additionally to the outbound NAT rule for WAN2.
@viragomann can you please specify where that is on the documentation?
When you configure the NAT 1:1 you have to select an interface. That is the interface where the traffic is going through. Each interface has an Upstream Gateway assigned - so in last resort it would go through "INTERFACE -> Outbound NAT for the selected interface".
What the feature does is well stated on the documentation. I kindly ask you to read this again:
"All traffic originating from that private IPv4 address going to the Internet will be mapped by 1:1 NAT to the public IPv4 address defined in the entry, overriding the Outbound NAT configuration."
If the traffic ORIGINATING from THAT PRIVATE IPv4 address GOING TO THE INTERNET will be mapped by the 1:1 NAT to the public IPv4 address, AND OVERRIDES the OUTBOUND NAT configuration, then its not "do only NAT".
Unless the documentation is wrong.
Are you saying that the feature does not work as described on the Netgate documentation, and that the said documentation is wrong?
The doc will be correct. However, you're only regarding to the NAT part.
Read the Multi-WAN routing chapter, please:
maverickws last edited by
Alright, added a policy routing. Thanks and cheers :)