Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi WAN with NAT Reflection

    Scheduled Pinned Locked Moved General pfSense Questions
    8 Posts 3 Posters 737 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ashima LAYER 8
      last edited by

      Hello Everyone,

      Pfsense verion : 2.6.0

      Current Scenario : We have local Web Server which the local users access using WAN IP. We have NAT reflection mode as Pure NAT and Automatic outbound NAT for reflection is Enabled.
      So far so good. Every thing working as expected.

      Issue : Issue arises when LAN rule for MultiWAN gateway is enabled.
      When the gateway is set as Default, local users can access the webserver but when the Gateway is set to Gateway group it is not accessible.

      Any Pointers ?

      Regards,
      Ashima

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @ashima
        last edited by

        @ashima said in Multi WAN with NAT Reflection:

        When the gateway is set as Default, local users can access the webserver but when the Gateway is set to Gateway group it is not accessible.
        Any Pointers ?

        So set the gateway to default for the concerned destinations.
        The access to your local web servers cannot work if you force the packets to a gateway. But this is, what the gateway option in the rule is doing at all.

        Instead of setting a gateway in the firewall rules (policy routing) set the desired gateway in System > Routing > Gateways > Default Gateway.
        If this is not an option for you for whatever reason, you need to add additional rules for local destinations.

        1 Reply Last reply Reply Quote 0
        • A
          ashima LAYER 8
          last edited by

          Thanks for responding @viragomann

          My requirement :

          1. Failover to work for Local users.
          2. Access my local web server using WAN IP from LAN.

          LAnrules.JPG

          If I keep the rules in this order NAT reflection works. I am able to access local web servers using WAN IP.
          If the order is reversed Failover works but NAT reflection stops.

          My query what LAN rules to be added so that Failover n NAT reflection works.

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @ashima
            last edited by

            @ashima
            Whats about the System > Routing > Gateways > Default Gateway setting? Is this not practicable for you?

            Otherwise you have to limit the destination in the rule to your local ones as mentioned, not "any" as your rule is using.

            1 Reply Last reply Reply Quote 0
            • A
              ashima LAYER 8
              last edited by ashima

              Added this rule on top :

              LANRuleTo acc.jpeg

              I guess this should work. I am working remotely so can't test local access.
              Shall update once I receive response from local team.

              The Destination IP (masked) in above screenshot is my WAN IP.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                The NAT reflection rules will change that destination to the internal IP of the server before it hits that rule so the destination should be the internal IP.

                1 Reply Last reply Reply Quote 1
                • A
                  ashima LAYER 8
                  last edited by

                  Yes. bang on point. Thank you @stephenw10. This is why we all love this forum.

                  So NAT reflection is applied before firewall rules.

                  Next step is to install haproxy as I have two webservers working on same port.

                  @stephenw10 will my LAN rules remain same.
                  PS: This is the first time I would be working with haproxy.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    When you use an actual proxy, like HAProxy, you don't need any sort of reflection. The proxy will listen on the public IP for incoming traffic from any source and will open it's own connections to the backend so no outbound NAT is needed there either.
                    So your LAN rules would need to allow connections from LAN to the WAN IP HAProxy is listening on without routing via the WAN gateway.

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.