Using dual ADSLs for balancing incoming connections

Minotaur

I've just added a second ADSL connection to one of my sites, and replaced the m0n0wall installation with pfSense. I think load balancing is (mostly) working for outbound connections, bar a small issue to iron out (making sure DNS queries only go out over the specific ISP's gateway).

However, I'm having difficulty getting things to work correctly for inbound connections. There are 3 servers that should accept connections from outside, each defined with a public IP via 1:1 NAT as shown below:

I have defined both IPs for each server as per the ISPs providing them. Each network is correctly defined under Proxy ARP.

I have duplicated incoming rules for WAN and WAN2, ensuring in/out interfaces are correct:

The three servers seem to accept connections quite happily on the first WAN, but nothing gets through at all on the second WAN IPs.

Any thoughts gratefully appreciated.

dotdash

Well, I'll throw out some ideas since no one else has bitten yet…
I have a similar setup in production and it works great. I am using pure NAT port-forwards and not 1-1 NAT and no alias', but have servers that respond on both WANs.
I'm assuming that you have tested a box with a public on the new WAN (parallel to pfsense) to verify all is good getting the traffic through the provider. Why not try deleting one of the 1-1s and putting in a port forward , selecting appropriate interface and external address, make a second one for the other interface and see if that works... And just to be sure, try rebooting the box- I wasted time troubleshooting my config after it was already fixed, because I didn't want to reboot the box...
As for forcing DNS queries, I think you should be able to do that by adding a rule on the LAN something like:
proto:TCP/UDP source:LAN net * Destination:*:53 Gateway:(correct gateway)
I have a similar rule due to some crappy https pages that can't handle multi WAN.

Minotaur

Thanks for the reply.

I tested both ADSLs independently with m0n0wall prior to setting up pfSense, so I know both connections are definitely accepting connections to those IPs. I'll try deleting one of the 1:1s and recreate it manually through the Virtual IPs, though I must confess I don't see why it should make any difference.

hoba

1:1 NATs won't work for multiwan. This would be a 2:1 nat which is just not possible and is a conflict. Use portforwards on the WANs. This way the state will handle everything.

billm

@hoba:

1:1 NATs won't work for multiwan. This would be a 2:1 nat which is just not possible and is a conflict. Use portforwards on the WANs. This way the state will handle everything.

Also, fyi, you should be able to port forward ports 1-65535 w/out a problem.  No need to do individual ports if you don't want to.

–Bill