MultiWan, Briged Modems and Outbound NAT
-
Hi,
I am struggling to get my setup working properly and i was hoping for some help.
My setup:
WAN01<–>Modem01 (10.0.0.1)<-->pfSense(DHCP)<-->LAN
WAN02<-->Modem02(10.1.0.1)<-->pfSense(DHCP)<-->LANI have configured a failover gateway group and assigned that to the default LAN rule.
Now i would like to reach the 2 modems that have internal IP's on the WAN side. pfSense has a dynamic external ip on both of the interfaces, so i think i would need virtual ip's and outbound NAT.
This is the point i got stuck. I don't exactly know which kind of IP and what to set in the Outbound NAT screen. I also think there will be some fw rules involved (am i correct?) so that the traffic for wan02 (the failover) is always send trough the right gateway and not trough the failover?Could someone help me figure out the right way to make this setup work? I would be very thankful!
grtz, Marcus
-
Maybe i placed it in the wrong section, i could be better under routing.
But does nobody here know this kind of routing? I tried it again last night and with all my logic it seems correct, and i can ping it from pfSense, but not from the LAN. -
If you're using 2.0, everything goes under the 2.0 board and not the more specific ones, at least until it's released :-)
You don't need anything fancy to reach those modems. Just add a firewall to the top of the LAN rules that will match them as a destination, but does not have a gateway set.
You can't get there now because your gateway group is bypassing the normal routing, and could be sending the requests out of the "wrong" interface (e.g. going out WAN2 to reach WAN1's modem) since using a gateway on a rule bypasses the normal routing table.
-
Okay got it working now.
It was indeed the firewall rule that killed it all.For others looking into this, i had to do the following.
1. Add an interface alias to the nic with an ip on the modem's lan range (eg 10.0.0.6/29).
2. Set outbound NAT to advanced and add a rule to get any traffic with the modem's lan range as destination (eg 10.0.0.0/26) trough the virtual ip.
3. Add another outbound NAT rule to let the normal traffic (any) with destination any go trough not interface default ip.
4. Add a firewall rule to get traffic for the internal range (10.0.0.0/29) use the default gateway instead of the FailOver.The settings now look like this:
Virtual IP:
Virtual IP address Type Description
10.177.255.254/20 [IP Alias] M01 Subnet
10.0.0.6/29 [IP Alias] M02 SubnetOutbound NAT:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN any * 10.177.240.0/20 * 10.177.255.254 * NO Outbound for M01
WAN any * * * * * NO Default Outbound WAN01
WAN02 any * 10.0.0.0/29 * 10.0.0.6 * NO Outbound for M02
WAN02 any * * * * * NO Default Outbound WAN02Firewall Rules:
ID Proto Source Port Destination Port Gateway Queue Schedule Description
* GREEN net * 10.177.240.0/20 * * none Modem 01 Route
* GREEN net * 10.0.0.0/29 * * none Modem 02 Route
* GREEN net * * * FailOver none Default allow LAN to any ruleI hope i helped someone else by posting it ;)
grts, Marcus