Two WANs with failover, accessing WAN1 router through WAN2?

  • I have a setup with two WANs and two LANs where the WAN-side has been set up with failover (default is WAN1, but traffic is flowing through WAN2 when WAN1 goes down).

    If WAN1 goes down the error is normally after the WAN1 router (this is a satellite link, so the WAN1 router is normally "up" when the link goes down). The monitor IP for WAN1 is set to an IP located on the "earth side" of the satellite, so if there is a problem with the satellite link pfSense won't reach this IP and consider the network to be down (and therefore remove the routing through WAN1 and route traffic through WAN2).

    To fix the satellite link I'd like to be able to reach the WAN1 router (directly connected to a port on the pfSense box), that is logging in to the WAN1 router through SSH.

    Is it possible to achieve this by accessing it from the WAN2 side? I know that the WAN1 gateway is considered down, but can I in any way force routing to the WAN1 router like this:

    –-> WAN2 ---> pfSense ---> WAN1 router


    Thank in advance for any help/tips.


  • Rebel Alliance Developer Netgate

    You don't want to do that.

    Just add a rule at the top of the LAN like so:

    pass * from LAN subnet to WAN1 router (with no gateway set)

    Then it will just go out the proper interface and you can reach it no matter what failover is happening.

  • Ok, but does the suggested solution require that the connection is done from the LAN?

    I'd like to be able to connect through WAN2's public IP through a port forward setup or similar. Can this be done?


  • Rebel Alliance Developer Netgate

    Yes that only works for connections from LAN.

    To connect from the outside to a port on WAN2 to hit the WAN1 router, that would just be a normal port forward. Nothing special there, just a port forward on WAN2 that points to the WAN1 router IP with the ports you want.

  • Thanks, jimp. And that should work even in a failover setup where WAN1 is considered down by pfSense?

  • Rebel Alliance Developer Netgate

    That wouldn't have anything to do with the failover mechanisms, it would work either way.

  • I have tested this now, but I'm not able to connect to the WAN1 router with a normal port forward through WAN2. Did it as you explained, but doesn't work. I'm able to connect to the WAN1 router from the LANs, but the port forwarding through WAN2 doesn't work.

    Any idea what I could try?

  • Rebel Alliance Developer Netgate

    You probably need some extra outbound NAT to make sure that things going to the WAN1 modem get NAT applied so it appears to be coming from the firewall's WAN1 IP, otherwise the WAN1 router would be trying to send it back out the dead line.

  • Thanks again. Yes, I see that this is exactly what is happening (through packet capture), it sends the packet out on WAN1 with the originating IP-address (the public IP-address from where I connect from).

    How can I modify the NAT to use the WAN1 interface IP for these packets only?

  • Rebel Alliance Developer Netgate

    Make an outbound NAT rule something like this:

    Interface: WAN1
    Source: Any
    Destination: WAN1 modem IP

  • Thanks, I will try that. Can the mode still be "Automatic outbound NAT rule generation" or do I have to switch to "Manual Outbound NAT rule generation" to make this work?

    I guess the Destination should be the IP-address of the WAN1 modem with /32 as mask?


  • Rebel Alliance Developer Netgate

    Manual, and yes, it would be the modem ip/32.

  • Ok, will this "break" other outbound traffic NAT'ing, that is do I need to add other rules as well to make outbound traffic/NAT work as before the switch to Manual?

  • Rebel Alliance Developer Netgate

    no, when you switch to manual it makes a proper set of rules that do exactly what automatic was already doing.

  • I tried this and was able to access the WAN1 modem through WAN2, but with a major drawback (Running 2.0.1):

    When I switch to "Manual Outbound NAT…" I am not able to access the web (surf), not able to access the WAN2 modem from LAN and so on.
    When set to "Manual..." it now uses the host IP on the LAN as from-IP on the WAN-side... When set to "Auto.." it uses the interface IP.

    It looks like it DOESN'T add the proper set of rules as you describe? Do I need to add rules for every outbound connection or am I missing something?

    Thanks for your prompt reply.

  • Rebel Alliance Developer Netgate

    If your WANs are setup right (gateways exist and are selected on the interface pages, or they're dynamic) then it should be adding outbound NAT rules that cover those networks automatically.

  • Please give us a screenshot, so we could help you bit more

  • I figured it out :-) Added two outbound NAT rules for the interfaces, source "any".