Port forwarding not working correctly with multi wan

aduzsardi

Hi,
We have a Netgate 7100 with dual WAN configured , the second WAN is using the same ISP but with a different subnet and upstream gateway.

We inherited this network from a small company that we merge with and for now we have to keep it with all it's port forwards to different internal servers.

The issue we are having is that we can't get it working consistently, for example we forward a udp port for openvpn to an internal IP on that separate VLAN and sometimes it works sometimes it doesn't (when i say it doesn't the connection never reaches internal IP), same with tcp ports 80 and 443

Here are some screen captures , maybe somebody can point out the issue , WAN2 and OLD (LAN) are the corresponding wan and internal network
LAGG1 is using the two 10Gbps NICs and LAGG0 is using the switchports

Any help in getting this sorted out would be much appreciated

Interfaces

Firewall

aduzsardi

actually it doesn't work at all

aduzsardi

Could it be because i've used the second port on the integrated switch for the WAN2 interface ?
I just noticed that the link on the Webui says /interfaces.php?if=lan , does that matter other than the UI ?

aduzsardi

@aduzsardi said in Port forwarding not working correctly with multi wan:

Could it be because i've used the second port on the integrated switch for the WAN2 interface ?
I just noticed that the link on the Webui says /interfaces.php?if=lan , does that matter other than the UI ?

nope , seems like it's not that ... seems to me pfSense doesn't do well with multi-wan from the same ISP

viragomann

@aduzsardi
Basically it should work if the WANs are in different subnets and use different gateways.

Do you have any floating rules?

@aduzsardi said in Port forwarding not working correctly with multi wan:

for example we forward a udp port for openvpn to an internal IP on that separate VLAN and sometimes it works sometimes it doesn't (when i say it doesn't the connection never reaches internal IP)

Did you verify that by sniffing the traffic?

aduzsardi

@viragomann it should but it doesn't
same thing , sometimes it does , sometimes it doesn't and i have no idea how to debug it
just tested with ICMP , pinged WAN2 IP from a remote site like 10 times (meaning i repeated the command 10 times) and it worked after a minute of waiting a few times , most of the times it didn't, just timed out

LE: i don't have any floating rules

if i ping the WAN2 IP after a period of time i'm getting replies (approximately after 15-20 seconds)

--- 86.x.x.x ping statistics ---
18 packets transmitted, 9 received, 50% packet loss, time 17225ms
rtt min/avg/max/mdev = 34.308/35.349/35.745/0.485 ms

viragomann

@aduzsardi said in Port forwarding not working correctly with multi wan:

just tested with ICMP , pinged WAN2 IP from a remote site like 10 times (meaning i repeated the command 10 times) and it worked after a minute of waiting a few times , most of the times it didn't, just timed out

I guess, you didn't forward ICMP, did you?
If not it's pfSense itself who is responding here.
If you get timouts some times, check if the packets really arrive at pfSense WAN2 by running a packet capture.

aduzsardi

@viragomann no i haven't forwarded icmp , it's the firewall itself responding but with a huge delay (packet loss)

just tested the same thing on WAN1 , and i don't have this issue ... everything works as expected icmp , port forwards ... no traffic is lost

very weird , do i need to configure VLANs on the switch that's conected to the two WAN ports on pfSense and the ISP router ? Afaik you don't need to do that since the ISP router/hardware doesn't do VLANs anyway.

There's one thing i can try maybe tomorrow or the day after that and that is to see if WAN2 works with the patch cable that's in WAN1 now

viragomann

@aduzsardi
That is not a true dual-WAN setup at all.

In this case, remove the switch and configure both subnets on a single WAN interface.

aduzsardi

@viragomann not sure what you mean by that, i have a single uplink to the ISP so i need to split it with a switch

why is not really a multi-wan ?
I have two public ip addresses within two different subnets and two different uplink gateways.

How would i add both IP addresses on the same interface ? :)

Thank you for all your help!

viragomann

@aduzsardi said in Port forwarding not working correctly with multi wan:

i have a single uplink to the ISP so i need to split it with a switch
why is not really a multi-wan ?

Since both of your subnets are on a single interface on the ISP router, they can also be on a single interface on pfSense. What do you think is the benefit of an L2 switch here?

How would i add both IP addresses on the same interface ? :)

Add the second subnet as virtual IP to the WAN. Firewall > Virtual IPs. Use type "IP alias".
Then if needed, add the second gateway to WAN: System > Routing > Gateways.

If the second subnet is routed to the primary WAN IP you can use the IPs directly in portforwarding rules. If not, you have to assign each single IP as "IP alias", but this is the same for the primary subnet.

If you want to use an IP of the secondary subnet for outbound traffic, you need to configure outbound rules accordingly.

aduzsardi

@viragomann you were absolutely right , thank you very much
although it's weird that it worked intermittently before as well ¯\(ツ)/¯

i'm curious as to how does pfsense know to use the second isp gateway for the IP alias

viragomann

@aduzsardi
Basically the default gateway is used. But if a request goes to an IP out of the second subnet pfSense uses this IP for response as well, of course. Now if the default gateway lies outside of this subnet it will use the gateway that matches the subnet.