Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Two WANs with failover, accessing WAN1 router through WAN2?

    Routing and Multi WAN
    3
    18
    4.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jarlel
      last edited by

      I have a setup with two WANs and two LANs where the WAN-side has been set up with failover (default is WAN1, but traffic is flowing through WAN2 when WAN1 goes down).

      If WAN1 goes down the error is normally after the WAN1 router (this is a satellite link, so the WAN1 router is normally "up" when the link goes down). The monitor IP for WAN1 is set to an IP located on the "earth side" of the satellite, so if there is a problem with the satellite link pfSense won't reach this IP and consider the network to be down (and therefore remove the routing through WAN1 and route traffic through WAN2).

      To fix the satellite link I'd like to be able to reach the WAN1 router (directly connected to a port on the pfSense box), that is logging in to the WAN1 router through SSH.

      Is it possible to achieve this by accessing it from the WAN2 side? I know that the WAN1 gateway is considered down, but can I in any way force routing to the WAN1 router like this:

      โ€“-> WAN2 ---> pfSense ---> WAN1 router

      ?

      Thank in advance for any help/tips.

      Jarle

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        You don't want to do that.

        Just add a rule at the top of the LAN like so:

        pass * from LAN subnet to WAN1 router (with no gateway set)

        Then it will just go out the proper interface and you can reach it no matter what failover is happening.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • J
          jarlel
          last edited by

          Ok, but does the suggested solution require that the connection is done from the LAN?

          I'd like to be able to connect through WAN2's public IP through a port forward setup or similar. Can this be done?

          Thanks.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Yes that only works for connections from LAN.

            To connect from the outside to a port on WAN2 to hit the WAN1 router, that would just be a normal port forward. Nothing special there, just a port forward on WAN2 that points to the WAN1 router IP with the ports you want.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              jarlel
              last edited by

              Thanks, jimp. And that should work even in a failover setup where WAN1 is considered down by pfSense?

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                That wouldn't have anything to do with the failover mechanisms, it would work either way.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • J
                  jarlel
                  last edited by

                  I have tested this now, but I'm not able to connect to the WAN1 router with a normal port forward through WAN2. Did it as you explained, but doesn't work. I'm able to connect to the WAN1 router from the LANs, but the port forwarding through WAN2 doesn't work.

                  Any idea what I could try?

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    You probably need some extra outbound NAT to make sure that things going to the WAN1 modem get NAT applied so it appears to be coming from the firewall's WAN1 IP, otherwise the WAN1 router would be trying to send it back out the dead line.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • J
                      jarlel
                      last edited by

                      Thanks again. Yes, I see that this is exactly what is happening (through packet capture), it sends the packet out on WAN1 with the originating IP-address (the public IP-address from where I connect from).

                      How can I modify the NAT to use the WAN1 interface IP for these packets only?

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Make an outbound NAT rule something like this:

                        Interface: WAN1
                        Source: Any
                        Destination: WAN1 modem IP

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • J
                          jarlel
                          last edited by

                          Thanks, I will try that. Can the mode still be "Automatic outbound NAT rule generation" or do I have to switch to "Manual Outbound NAT rule generation" to make this work?

                          I guess the Destination should be the IP-address of the WAN1 modem with /32 as mask?

                          Thanks.

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            Manual, and yes, it would be the modem ip/32.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • J
                              jarlel
                              last edited by

                              Ok, will this "break" other outbound traffic NAT'ing, that is do I need to add other rules as well to make outbound traffic/NAT work as before the switch to Manual?

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                no, when you switch to manual it makes a proper set of rules that do exactly what automatic was already doing.

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • J
                                  jarlel
                                  last edited by

                                  I tried this and was able to access the WAN1 modem through WAN2, but with a major drawback (Running 2.0.1):

                                  When I switch to "Manual Outbound NATโ€ฆ" I am not able to access the web (surf), not able to access the WAN2 modem from LAN and so on.
                                  When set to "Manual..." it now uses the host IP on the LAN as from-IP on the WAN-side... When set to "Auto.." it uses the interface IP.

                                  It looks like it DOESN'T add the proper set of rules as you describe? Do I need to add rules for every outbound connection or am I missing something?

                                  Thanks for your prompt reply.

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by

                                    If your WANs are setup right (gateways exist and are selected on the interface pages, or they're dynamic) then it should be adding outbound NAT rules that cover those networks automatically.

                                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      Metu69salemi
                                      last edited by

                                      Please give us a screenshot, so we could help you bit more

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        jarlel
                                        last edited by

                                        I figured it out :-) Added two outbound NAT rules for the interfaces, source "any".

                                        Thanks.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.