MultiWan, Briged Modems and Outbound NAT

  • Hi,

    I am struggling to get my setup working properly and i was hoping for some help.

    My setup:

    WAN01<–>Modem01 (<-->pfSense(DHCP)<-->LAN

    I have configured a failover gateway group and assigned that to the default LAN rule.

    Now i would like to reach the 2 modems that have internal IP's on the WAN side. pfSense has a dynamic external ip on both of the interfaces, so i think i would need virtual ip's and outbound NAT.
    This is the point i got stuck. I don't exactly know which kind of IP and what to set in the Outbound NAT screen. I also think there will be some fw rules involved (am i correct?) so that the traffic for wan02 (the failover) is always send trough the right gateway and not trough the failover?

    Could someone help me figure out the right way to make this setup work? I would be very thankful!

    grtz, Marcus

  • Maybe i placed it in the wrong section, i could be better under routing.
    But does nobody here know this kind of routing? I tried it again last night and with all my logic it seems correct, and i can ping it from pfSense, but not from the LAN.

  • Rebel Alliance Developer Netgate

    If you're using 2.0, everything goes under the 2.0 board and not the more specific ones, at least until it's released :-)

    You don't need anything fancy to reach those modems. Just add a firewall to the top of the LAN rules that will match them as a destination, but does not have a gateway set.

    You can't get there now because your gateway group is bypassing the normal routing, and could be sending the requests out of the "wrong" interface (e.g. going out WAN2 to reach WAN1's modem) since using a gateway on a rule bypasses the normal routing table.

  • Okay got it working now.
    It was indeed the firewall rule that killed it all.

    For others looking into this, i had to do the following.
    1. Add an interface alias to the nic with an ip on the modem's lan range (eg
    2. Set outbound NAT to advanced and add a rule to get any traffic with the modem's lan range as destination (eg trough the virtual ip.
    3. Add another outbound NAT rule to let the normal traffic (any) with destination any go trough not interface default ip.
    4. Add a firewall rule to get traffic for the internal range ( use the default gateway instead of the FailOver.

    The settings now look like this:
    Virtual IP:
    Virtual IP address  Type  Description    [IP Alias] M01 Subnet       [IP Alias] M02 Subnet

    Outbound NAT:
    Interface  Source  Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description 
    WAN  any               *         *     *           NO          Outbound for M01 
    WAN  any               *               *                 *                 *             *            NO                Default Outbound WAN01 
    WAN02  any               *         *        *            NO          Outbound for M02 
    WAN02  any               *               *                 *                 *             *            NO          Default Outbound WAN02

    Firewall Rules:
    ID  Proto  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description 
    *      GREEN net * * *      none                 Modem 01 Route 
    *      GREEN net * * *      none                 Modem 02 Route 
    *      GREEN net * *                * FailOver none                 Default allow LAN to any rule

    I hope i helped someone else by posting it  ;)

    grts, Marcus

Log in to reply