Multi WAN with NAT Reflection
-
Hello Everyone,
Pfsense verion : 2.6.0
Current Scenario : We have local Web Server which the local users access using WAN IP. We have NAT reflection mode as Pure NAT and Automatic outbound NAT for reflection is Enabled.
So far so good. Every thing working as expected.Issue : Issue arises when LAN rule for MultiWAN gateway is enabled.
When the gateway is set as Default, local users can access the webserver but when the Gateway is set to Gateway group it is not accessible.Any Pointers ?
Regards,
Ashima -
@ashima said in Multi WAN with NAT Reflection:
When the gateway is set as Default, local users can access the webserver but when the Gateway is set to Gateway group it is not accessible.
Any Pointers ?So set the gateway to default for the concerned destinations.
The access to your local web servers cannot work if you force the packets to a gateway. But this is, what the gateway option in the rule is doing at all.Instead of setting a gateway in the firewall rules (policy routing) set the desired gateway in System > Routing > Gateways > Default Gateway.
If this is not an option for you for whatever reason, you need to add additional rules for local destinations. -
Thanks for responding @viragomann
My requirement :
- Failover to work for Local users.
- Access my local web server using WAN IP from LAN.
If I keep the rules in this order NAT reflection works. I am able to access local web servers using WAN IP.
If the order is reversed Failover works but NAT reflection stops.My query what LAN rules to be added so that Failover n NAT reflection works.
-
@ashima
Whats about the System > Routing > Gateways > Default Gateway setting? Is this not practicable for you?Otherwise you have to limit the destination in the rule to your local ones as mentioned, not "any" as your rule is using.
-
Added this rule on top :
I guess this should work. I am working remotely so can't test local access.
Shall update once I receive response from local team.The Destination IP (masked) in above screenshot is my WAN IP.
-
The NAT reflection rules will change that destination to the internal IP of the server before it hits that rule so the destination should be the internal IP.
-
Yes. bang on point. Thank you @stephenw10. This is why we all love this forum.
So NAT reflection is applied before firewall rules.
Next step is to install haproxy as I have two webservers working on same port.
@stephenw10 will my LAN rules remain same.
PS: This is the first time I would be working with haproxy. -
When you use an actual proxy, like HAProxy, you don't need any sort of reflection. The proxy will listen on the public IP for incoming traffic from any source and will open it's own connections to the backend so no outbound NAT is needed there either.
So your LAN rules would need to allow connections from LAN to the WAN IP HAProxy is listening on without routing via the WAN gateway.Steve
