Multiple Gateways on WAN Link

  • My ISP provides me with two different subnets/gateways on my WAN link (/29 addresses).  My requirement is to use policy routing to route different source traffic to the diffferent WAN subnets and inbound NAT routing from the different IP's and subnets.

    I have tried using virtual IP's but it is not working.  Can someone point me in the right direction?


  • Your ISP gives you to different subnets on the same interface? (Presumably ethernet).

    If so, are they VLAN tagging the other subnet?

    If so, then set up vlans.

    If not, then use another ethernet nic so you can have dual WAN on the same ethernet segment but living on different subnets with matching gateways.

  • Yes, the ISP provides two address ranges over the same ethernet interface.  They use two atm pvc's converted to ethernet.  The router is not vlan compatible.  I thought it may be possible to create two sub interfaces on the same OPT interface.  I know I can break them out to a managed switch and use VLANS but i thought there may be a way without VLAN's?

  • You can do this with a little bit of netgraph magic.
    Run the following shell script at boot or shortly thereafter either from ssh or by adding it to the boot sequence. All changes are reset when the router is rebooted.

    It will create a virtual interface named ngeth0 and bridge it with the physical WAN that already exists. This interface has its own mac address, ip address, subnet, etc., but the packets sent/received by it still flow through the same physical interface as the WAN. Add a new OP interface for this virtual interface and configure as needed via pfsense.

    The virtual interface will behave just as if an extra NIC was added to the machine and this extra NIC, they physical NIC, and the rest of the physical network were connected together with a switch.

    Note: Running a packet capture on the WAN interface may disrupt the virtual interface. I need to test and see if it properly restores the promisc value for the interface after the packet capture. You will also want to tell pfsense to suppress ARP messages when NICs share the same physical network (under advanced settings I believe)

    Let me know if there are any syntactical errors or other weird output that I need to fix.

    #A simple virtual interface script - USE AT OWN RISK
    #Creates a virtual interface and bridges it with a physical interface.

    #User Variables - Modify these to suit your needs. Both need to be customized for the current system

    #This is the name of the physical interface device. Look it up in `ifconfig' if you don't remember the name from when you configured pfSense

    "WAN" is most likely NOT correct.

    #This is the mac address of the new virtual interface. It should be different from the physical interface

    Non-User code

    #create the bridge
    ngctl mkpeer ${LOCAL_IFACE}: bridge lower link0 || exit 1
    ngctl name ${LOCAL_IFACE}:lower ${BRIDGE}
    #restore packet flow to the physical interface
    ngctl connect ${BRIDGE}: ${LOCAL_IFACE}: link1 upper
    #create virtual interface
    ngctl mkpeer ${BRIDGE}: eiface link2 ether
    #set virtual mac address and bring the interface up
    ifconfig ngeth0 ether ${VIRT_IFACE_MAC}
    ifconfig ngeth0 up
    #make sure we can read packets from the physical interface directed to the virtual one and
    #that we can write packets out without the virtual mac being overwritten
    ngctl msg ${LOCAL_IFACE}: setautosrc 0
    ngctl msg ${LOCAL_IFACE}: setpromisc 1

Log in to reply