Outbound NAT (hybrid) not working
-
Hi
I have 2 primary fiber connection with static IP and one backup over ADSL with DHCPI have them in a WAN loadbalancer where
Fiber 1 (Tier 1)
Fiber 2 (Tier 1) | WAN_GW
Backup (Tier 2)/I have some traffic I will like to send out over backup line.
I have made an outbound rule like this and the rule is placed first:
Interface: Backup
Source: 192.168.11.36
Source Port: tcp/*
Destination: "ip number"/32
Destination port: tcp/25
NAT Address: Backup address
NAT Port: *If it make a telnet from the server 192.168.11.36
telnet "ip number" 25
The outbound rule do not pick up the traffic and it goes over the normal wan WAN_GW gateway, and not out over the Backup gateway.It I force the default gateway to use Backup then the traffic goes as it should.
But not when I set the default Gateway to WAN_GW then it does not work, where the outbound rule should pickup the traffic and send it out over Backup line.What am I missing or do wronge?
Regards
Henning -
@hsv
The traffic is sent out according to the routing table. An outbound NAT rule on its own does not change this behavior.If you want to direct traffic from certain IPs or a subnet or to certain destinations out to a specific gateway you have to policy route it. That means you have to create a firewall pass rule for the concerned source IPs and state the desired gateway in the advanced options. Put this rule to the top of the rule set so that it is applied before the allow-any rule.
-
@viragomann
Hi
Thanks for the very fast respond, and it worked.Regards
Henning -
@viragomann said in Outbound NAT (hybrid) not working:
If you want to direct traffic from certain IPs or a subnet or to certain destinations out to a specific gateway you have to policy route it. That means you have to create a firewall pass rule for the concerned source IPs and state the desired gateway in the advanced options. Put this rule to the top of the rule set so that it is applied before the allow-any rule.
Hello @viragomann, i have the same problem with nat outbound in multi-wan, I've read the documentation and I have difficulty with this part of the explanation and cant' continue. Could you detail what the rule would look like or maybe even show me a print of this configuration?
-
@jrodrigomor
As mentioned, this has nothing to do with outbound NAT. There is a NAT rule needed for outbound traffic on each WAN though, but pfSense adds this automatically, if you state a gateway on the WAN interface.What you need is called Policy Routing.
It is just a firewall pass rule for allowing outbound, where you state a gateway in the advanced options. By using aliases for source or destination, you can limit the rule to certain devices or web resources.
I don't have a policy routing rule in my configuration at this time, but if you search the web for this term, you will get a lot of hits with examples.
-
@jrodrigomor said in Outbound NAT (hybrid) not working:
Could you detail what the rule would look like or maybe even show me a print of this configuration?
Here is an example, I have an outbound nat that says if you go out my ns1vpn, to nat to that address.. A rule that would force traffic out that gateway is placed on the interface where you have traffic you want to route out that gateway.
You assign the specific gateway to a rule via the advanced when you setup the rule, notice the little gear next to the rule, that shows that an advanced setting was done on the rule.
