Two WANs with failover, accessing WAN1 router through WAN2?

jarlel · Dec 14, 2011, 8:23 AM

I have a setup with two WANs and two LANs where the WAN-side has been set up with failover (default is WAN1, but traffic is flowing through WAN2 when WAN1 goes down).

If WAN1 goes down the error is normally after the WAN1 router (this is a satellite link, so the WAN1 router is normally "up" when the link goes down). The monitor IP for WAN1 is set to an IP located on the "earth side" of the satellite, so if there is a problem with the satellite link pfSense won't reach this IP and consider the network to be down (and therefore remove the routing through WAN1 and route traffic through WAN2).

To fix the satellite link I'd like to be able to reach the WAN1 router (directly connected to a port on the pfSense box), that is logging in to the WAN1 router through SSH.

Is it possible to achieve this by accessing it from the WAN2 side? I know that the WAN1 gateway is considered down, but can I in any way force routing to the WAN1 router like this:

–-> WAN2 ---> pfSense ---> WAN1 router

?

Thank in advance for any help/tips.

Jarle

jimp · Dec 14, 2011, 5:10 PM

You don't want to do that.

Just add a rule at the top of the LAN like so:

pass * from LAN subnet to WAN1 router (with no gateway set)

Then it will just go out the proper interface and you can reach it no matter what failover is happening.

jarlel · Dec 15, 2011, 8:55 AM

Ok, but does the suggested solution require that the connection is done from the LAN?

I'd like to be able to connect through WAN2's public IP through a port forward setup or similar. Can this be done?

Thanks.

jimp · Dec 15, 2011, 2:15 PM

Yes that only works for connections from LAN.

To connect from the outside to a port on WAN2 to hit the WAN1 router, that would just be a normal port forward. Nothing special there, just a port forward on WAN2 that points to the WAN1 router IP with the ports you want.

jarlel · Dec 15, 2011, 2:51 PM

Thanks, jimp. And that should work even in a failover setup where WAN1 is considered down by pfSense?

jimp · Dec 15, 2011, 2:59 PM

That wouldn't have anything to do with the failover mechanisms, it would work either way.

jarlel · Dec 16, 2011, 1:25 PM

I have tested this now, but I'm not able to connect to the WAN1 router with a normal port forward through WAN2. Did it as you explained, but doesn't work. I'm able to connect to the WAN1 router from the LANs, but the port forwarding through WAN2 doesn't work.

Any idea what I could try?

jimp · Dec 16, 2011, 1:27 PM

You probably need some extra outbound NAT to make sure that things going to the WAN1 modem get NAT applied so it appears to be coming from the firewall's WAN1 IP, otherwise the WAN1 router would be trying to send it back out the dead line.

jarlel · Jan 4, 2012, 11:27 AM

Thanks again. Yes, I see that this is exactly what is happening (through packet capture), it sends the packet out on WAN1 with the originating IP-address (the public IP-address from where I connect from).

How can I modify the NAT to use the WAN1 interface IP for these packets only?

jimp · Jan 4, 2012, 7:06 PM

Make an outbound NAT rule something like this:

Interface: WAN1
Source: Any
Destination: WAN1 modem IP

jarlel · Jan 6, 2012, 12:08 PM

Thanks, I will try that. Can the mode still be "Automatic outbound NAT rule generation" or do I have to switch to "Manual Outbound NAT rule generation" to make this work?

I guess the Destination should be the IP-address of the WAN1 modem with /32 as mask?

Thanks.

jimp · Jan 6, 2012, 12:34 PM

Manual, and yes, it would be the modem ip/32.

jarlel · Jan 6, 2012, 12:37 PM

Ok, will this "break" other outbound traffic NAT'ing, that is do I need to add other rules as well to make outbound traffic/NAT work as before the switch to Manual?

jimp · Jan 6, 2012, 12:41 PM

no, when you switch to manual it makes a proper set of rules that do exactly what automatic was already doing.

jarlel · Jan 10, 2012, 2:43 PM

I tried this and was able to access the WAN1 modem through WAN2, but with a major drawback (Running 2.0.1):

When I switch to "Manual Outbound NAT…" I am not able to access the web (surf), not able to access the WAN2 modem from LAN and so on.
When set to "Manual..." it now uses the host IP on the LAN as from-IP on the WAN-side... When set to "Auto.." it uses the interface IP.

It looks like it DOESN'T add the proper set of rules as you describe? Do I need to add rules for every outbound connection or am I missing something?

Thanks for your prompt reply.

jimp · Jan 10, 2012, 5:51 PM

If your WANs are setup right (gateways exist and are selected on the interface pages, or they're dynamic) then it should be adding outbound NAT rules that cover those networks automatically.

Metu69salemi · Jan 10, 2012, 11:10 PM

Please give us a screenshot, so we could help you bit more

jarlel · Jan 11, 2012, 3:17 PM

I figured it out :-) Added two outbound NAT rules for the interfaces, source "any".

Thanks.