Adv. Outbound NAT with Dual WAN (No Loadbalance) and Multiple VLAN?



  • Hi All,

    I'm currently running Pfsense: 1.2-BETA-1 built on Mon Apr 30 10:47:18 EDT 2007.

    I have 4 NIC in my Pfsense box.

    [] WAN
    [] LAN
    [] OPT1 (DMZ)
    [] OPT2 (WAN2)    – Not working yet..

    I have 9 VLANS running off the LAN interface - I use pfsense for routing.

    All VLANS etc are running perfectly.

    I want add an additional WAN connection (WAN2), I have an ADSL modem/router which is setup.
    I have setup the WAN2 interface etc as per documentation/tutorial: "setting up policybased routing with multiple WAN-links (PDF)"

    I have a windows sharepoint server setup on VLAN_900.
    I want the traffic from this VLAN to route traffic outbound through my WAN2 link as it has a much greater upload speed.

    I'm pretty sure I understand all of the documentation, however I can't find much about 'advanced outbound nat'.

    When I tick the 'Enable Advanced Outbound NAT' option, it creates a rule ONLY for the LAN interface.

    
    ------------------------------------------------------------------------------------------------------------------------------------------------
    Interface  	Source  	  Source Port  	Destination  	Destination Port  NAT Address  	NAT Port  Static Port  	Description  	
    
    ------------------------------------------------------------------------------------------------------------------------------------------------
    WAN   		192.168.144.0/24  * 		* 		* 		  * 		* 	  NO		auto created rule for LAN 
    ------------------------------------------------------------------------------------------------------------------------------------------------
    
    

    I'm pretty sure I need to create a 'copy' of this rule for all of my interfaces/VLANS and to specify that I want all traffic from VLAN_900 to route out via WAN2..?

    ie

    
    ------------------------------------------------------------------------------------------------------------------------------------------------
    Interface  	Source  	  Source Port  	Destination  	Destination Port  NAT Address  	NAT Port  Static Port  	Description  	
    
    ------------------------------------------------------------------------------------------------------------------------------------------------
    WAN   		172.16.0.0/22  * 		* 		* 		  * 		* 	  NO		auto created rule for LAN
    WAN   		VLAN_100 IP/22  * 		* 		* 		  * 		* 	  NO		NAT VLAN_100 -> Def. GW
    WAN   		VLAN_200 IP/22  * 		* 		* 		  * 		* 	  NO		NAT VLAN_200 -> Def. GW
    		     .
    		     .
    WAN   		VLAN_800 IP/22  * 		* 		* 		  * 		* 	  NO		NAT VLAN_800 -> Def. GW
    WAN2   		VLAN_900 IP/22  * 		* 		* 		  * 		* 	  NO		NAT VLAN_900 -> WAN2 GW 
    WAN   		DMZ_IP/22 	* 		* 		* 		  * 		* 	  NO		NAT DMZ_IP -> Def. GW 
    ------------------------------------------------------------------------------------------------------------------------------------------------
    
    

    Can anyone pls confirm that this is correct?? OR which advanced outbound nat rules I need to create?

    CHEERS!

    NB: In my DMZ I have a reverse proxy. Do I need to add additional rules for this to work??



  • Hi All,

    Well I implemented the above rules and it worked without drama.

    BUT:
    –--

    External (WAN IP)-->Internal Webserver (VLAN_900)-->External    --  still are not utilising the WAN2 link.

    Internal VLAN_900-->External utilises the WAN2.

    I'm not sure how to change this?? (ie. Have External inbound connections on WAN and then return/upload data on WAN2)..?

    Whether this is even at all possible..?

    Any ideas..?

    Cheers.



  • Look at the Load balancing / multi wan document @ doc.pfsense.com

    hint, you define the gateway in the LAN firewall rules.



  • Hi Scott,

    Appreciate the reply. I've read the doc (perhaps too many times - so I might be missing something obvious??)

    ::::::::: An Aside::::::::::::::::::::::::::::::::::::::::::::::::

    I'm not after load balancing, or failover (at this stage).
    I have my primary WAN link, which has 5 static IP addresses.
    I have my (brand new) secondary link which only has 1 static IP.

    One of the internal businesses hosts a (publicly accessible) sharepoint webserver, with multiple client sites.
    Because I don't control the DNS records for their client sites (multiple, multiple clients maintain their own DNS records/updates etc) I am looking to have the secondary WAN link connected, such that incoming (external) webserver requests come in on the existing static IP and are serviced on the WAN2 link (– it has a much much faster 'upload' speed).
    Once this is working the next thing I wish to do is to get the clients to update their DNS records to point to the 'new' static IP.
    Once this transition has occured, i'll actually move this internet connection to its own pfsense install and seperate it from 'my network'.

    Hope this makes sense?
    :::::::::::::::End Aside:::::::::::::::::::::::::::::::::::::::::::::::

    I have policy based routing working fine - ie. if I hook up a workstation/laptop on my VLAN_900, all inbound and outbound requests go through the WAN2 link. (eg. accessing the internet from the webserver does this too).

    The bit that is confusing me (which I admittedly don't understand that well) is that when an external client wants to connect to the sharepoint webserver, it is not utilising the WAN2 link whatsoever.
    Everything I have read is for 'load balancing'/routing internal requests, but because this is a webserver and the requests originate externally, I have no idea where/how to force the connection to use the WAN2 link...?

    ie.
    ::::::::::::::::::::: Slightly convoluted Example ::::::::::::::::::::::::::::::::
      External Client (has IP of 202.12.45.89) wants to connect to the sharepoint website "sharepoint.clakeywebsite.com.au" (has IP of 280.34.56.12).
    sharepoint.clakeywebsite.com.au is sitting on internal (VLAN_900) network and has IP: 172.16.36.50.

    1. Client connects on random port from 202.12.45.89 to port 80 on sharepoint.clakeywebsite.com.au (280.34.56.12)
    2. Pfsense NATs all incoming port 80 on 280.34.56.12 to port 80 on internal IP 172.16.36.50
    3. Webserver receives request and processes it.
    4. Page is served to client on WAN link. (Not WAN2)

    -- As stated I would like the page 'served' over the WAN2 link.
    I would assume that it is all working except that i am missing a step '3a' in which traffic is routed back via WAN2.
    I have a 'policy based routing' rule on the VLAN_900 interface:

    
    Proto  	Source  Port  	Destination  	Port  	Gateway       Schedule  Description  	
    
    * 	* 	* 	* 		* 	192.168.100.1 	  	Policy Route VLAN_900->WAN2 
    
    

    I have an advanced outbound NAT rule:

    
    Interface  Source	   Source Port 	Destination Destination	Port  	NAT Address  	NAT Port  	Static Port  	Description  	
    WAN2	   172.16.36.0/22	*	    * 		*		     *		    *		NO		NAT VLAN_900->WAN2
    
    

    NB:
    192.168.100.1 is the IP address of my WAN2 modem router.
    172.16.36.0/22 is my network and subnet addresses for VLAN_900 (where sharepoint webserver resides – it is only machine/IP on VLAN_900)

    ??HELP??

    ::::::::::::::::::::: End Slightly convoluted Example :::::::::::::::::::::::::::

    Apologies that this is so long winded, but the more I try and explain it, the more convoluted the explanation becomes.

    Cheers.



  • Forcing external to internal connections should be done via DNS?



  • trafic that came from the internet on wan1 you can't send back true wan2
    if you do then youre ipadres of the wan chanches and so will be refust by the pc that conected you from wan1

    trafic has always to come back from the same wan and session to be able to pass a remote firewall



  • Hi sullrich & jeroen234,

    Appreciate the replies.

    @jeroen234:

    trafic that came from the internet on wan1 you can't send back true wan2
    if you do then youre ipadres of the wan chanches and so will be refust by the pc that conected you from wan1

    trafic has always to come back from the same wan and session to be able to pass a remote firewall

    This is the conclusion I had reached but was hoping that I was wrong.

    Next stop 'plan b'…

    @sullrich:

    Forcing external to internal connections should be done via DNS?

    I'm assuming that you mean that i need to update the DNS records such that the original request 'sharepoint.clakeywebsite.com.au' resolves to the IP address of the WAN2 link which I wish to serve the pages on? This is the plan b.. ;D

    CHEERS FELLAS - TOP PRODUCT SCOTT AND EVERYONE ELSE WHOM CONTRIBUTES TO ITS SUCCESS!

    • Lakey.


  • DNS is definitely the way to go, just get you name to resolve to WAN2 and then route the necessary port in.


Log in to reply