Multi-WAN and port forwards: Always respond to same interface? [resolved]

  • Edit: I was able to resolve this. Turns out I had neglected to set a "gateway" option under the interfaces themselves. Setting this will activate code in pfsense that will enable reply-to rules which does exactly what it is I want.

    I have two pfSense boxes set up in the lab (actually virtual machines - yay for setting up complicated labs in virtual machines). Both are running pfSense 2.0 RC1.

    The first one is called edgefw. This has the following interfaces:

    • WAN1
    • WAN2
    • LAN

    The second one is called mockrouter.

    • Link1
    • Link2
    • LAN
    • WAN DHCP (this is hooked to my "real" LAN which has NAT:ed access to the Internet)

    Basically, the idea is to use "mockrouter" to simulate two WAN connections, and the LAN on the "mockrouter" is so that I can have a client accessing it that is coming from an IP address that is not directly reachable from "edgefw".

    Edgefw is configured to use two WAN connections. I have not set them up in particular, other than that both are gateways.

    There's some NAT going on as well. Edgefw has two AON rules that NAT traffic exiting WAN1 and WAN2 with their interface IP addresses respectively. And edgefw has port forwards that forward requests to and on TCP port 19 (chargen) to a Windows XP (a VM again, with the simple internet services enabled) sitting at Mockrouter NAT:s all traffic exiting the WAN (which is the "real/live" internet connection - going through my "real/live" LAN).

    I have my real computer hooked up so that it's sitting with an IP address configured in only, and I'm connecting from there to and on the chargen port respectively. seems to be chosen as the active / default gateway for edgefw. This means that all traffic going to a default route, even responses to packets sent to end up exiting on the "wrong" interface, causing an assymetric routing situation which I don't want in this particular setup.

    Ideally what I want is so that responses to requests that are made to exit on the same interface. I'd imagine that I'd use some kind of policy routing to do that, however I don't really see how, since as far as I understand, the pfsense policies only let you apply policy routing to connections in the outgoing direction (for requests) not for "responses". Am I wrong about this, or is there some way to accomplish this?

    One "simple idea" i had is "if source address for a packet that needs to be routed is, exit via WAN2, otherwise via WAN1" but I'm not sure how to express that in pfSense… because that kind of rule would not match the "start" of a TCP flow.

Log in to reply