Multi-WAN and port forwards: Always respond to same interface? [resolved]



  • Edit: I was able to resolve this. Turns out I had neglected to set a "gateway" option under the interfaces themselves. Setting this will activate code in pfsense that will enable reply-to rules which does exactly what it is I want.

    I have two pfSense boxes set up in the lab (actually virtual machines - yay for setting up complicated labs in virtual machines). Both are running pfSense 2.0 RC1.

    The first one is called edgefw. This has the following interfaces:

    • WAN1 172.16.1.1/24
    • WAN2 172.16.2.1/24
    • LAN 172.16.0.1/24

    The second one is called mockrouter.

    • Link1 172.16.1.2/24
    • Link2 172.16.2.2/24
    • LAN 172.16.3.0/24
    • WAN DHCP (this is hooked to my "real" LAN which has NAT:ed access to the Internet)

    Basically, the idea is to use "mockrouter" to simulate two WAN connections, and the LAN on the "mockrouter" is so that I can have a client accessing it that is coming from an IP address that is not directly reachable from "edgefw".

    Edgefw is configured to use two WAN connections. I have not set them up in particular, other than that both are gateways.

    There's some NAT going on as well. Edgefw has two AON rules that NAT traffic exiting WAN1 and WAN2 with their interface IP addresses respectively. And edgefw has port forwards that forward requests to 172.16.1.1 and 172.16.2.1 on TCP port 19 (chargen) to a Windows XP (a VM again, with the simple internet services enabled) sitting at 172.16.3.51. Mockrouter NAT:s all traffic exiting the WAN (which is the "real/live" internet connection - going through my "real/live" LAN).

    I have my real computer hooked up so that it's sitting with an IP address configured in 172.16.3.0/24 only, and I'm connecting from there to 172.16.1.1 and 172.16.2.1 on the chargen port respectively.

    172.16.1.2 seems to be chosen as the active / default gateway for edgefw. This means that all traffic going to a default route, even responses to packets sent to 172.16.2.1 end up exiting on the "wrong" interface, causing an assymetric routing situation which I don't want in this particular setup.

    Ideally what I want is so that responses to requests that are made to 172.16.2.1 exit on the same interface. I'd imagine that I'd use some kind of policy routing to do that, however I don't really see how, since as far as I understand, the pfsense policies only let you apply policy routing to connections in the outgoing direction (for requests) not for "responses". Am I wrong about this, or is there some way to accomplish this?

    One "simple idea" i had is "if source address for a packet that needs to be routed is 172.16.2.1, exit via WAN2, otherwise via WAN1" but I'm not sure how to express that in pfSense… because that kind of rule would not match the "start" of a TCP flow.


Log in to reply