Multiple WAN, but not Multi WAN
-
Since I finally got this working, I thought I'd post what I did, in the off chance someone else needs to do something similar.
In my case, my (residential) ISP kindly gave me multiple static IP addresses. However, the ISP needs to bind each static IP to a unique MAC address. Thus, I have WAN (igb0) and WAN2 (igb3), each on different upstream subnets, but using the same physical connection to my ISP (via a cable modem in bridge mode).
Business ISPs would typically give you an IP block, and route that block for you, so you can support multiple IP addresses just as additional addresses on the same interface with no need for multiple interfaces. Not so, in my case.
The purpose for WAN2 is for testing, particularly in cases where I need to test IPSec, which can't really handle new connections from existing peer addresses. Since it's the same physical connection, I don't want to use Multi WAN (no purpose in fail-over), but want one or more subnets on my network to route out of WAN2 instead of WAN.
In this case, I have a LAN2 network to test using WAN2. I got everything working, except that all LAN2 traffic still went out of WAN instead of WAN2. After scratching my head for a while, I finally found the solution.
I had created a default firewall rule to allow LAN2 to any, but it used "Default" for the Gateway (under Advanced - shows as "*" in Rules). I changed this to the GW I had defined for WAN2 (WAN2GW), and lo! Everything started to work the way I wanted.
Moreover, I did not need to create any specific Outbound NAT rules - the default rules created seem to be OK.
So, if you need to route specific internal networks to specific external interfaces, this seems to be the way to go.
-
@mushymiddle like https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html ? :)
-
@steveits said in Multiple WAN, but not Multi WAN:
https://docs.netgate.com/pfsense/en/latest/multiwan/policy-route.html
Yes, pretty much. I did see that page, but when it started talking about gateway groups, I lost interest. I should have read further, where it says "...gateway or group...".
Further, it wasn't obvious that what I needed to do was a firewall issue, instead of a routing issue. My disconnect w/r/t the pfSense firewall has always been this:
"In pfSense
software, rules on interface tabs are applied on a per-interface basis, always in the inbound direction on that interface."https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html
So, in my case here, the rule would seem to affect outbound traffic, and not inbound. It just seems weird to use firewall rules to affect routing...in effect.
-
@mushymiddle all good points :)