Dual Wan + Single LAN + NAT



  • Hey All,

    Long time user of pfSense, first time posting in the forum.  First off, pfSense is the best firewall/routing distro out there IMO.  Used to be a PIX/ASA/Sonicwall user; left about 2 years ago and haven't looked back.

    Ok, so here is my problem.  A client of ours has a DSL and a Cable connection for their WAN.  The routing group is configured w. the Cable connection as tier 1, and the DSL connection as tier 2 (that is, they're designed to be failover, not load balancing.)  There is only 1 server on the inside that is designed to communicate with the outside world (mail server).  We initially had 2 1:1 NAT translations targeted at the mail server for an IP on both the DSL and Cable interface.  After thinking about it, I realized that this didn't make any sense, and turned off the 1:1 NAT on the DSL interface.  Now, there is just a 1:1 NAT configured on the cable interface, and regular port forwarding for IMAP/SMTP on the DSL interface.  I can successfully telnet to TCP 143 on the cable interface, but when I try and do it on the DSL interface, the connection is never established.  I know the firewall isn't dropping/rejecting the packets, as I can clog -f /var/log/filter.log and see that the packets successfully make it through (or at least don't get dropped/rejected).

    What I think is occurring is that the initial SYN makes it to the server, but on the way back out, the ACK gets caught up in the 1:1 NAT, and has the source address listed as the cable interface and not the DSL interface.  When the packet gets back to the initiating host, the firewall doesn't recognize the source address in the connection table and (rightly) drops the packet, hence, no connection.

    My questions are these: am I way off base in what I think the problem is?  Is 1:1 NAT just not going to work in this scenario?

    I'm using pfSense 2.0.1.

    Thank you in advance.



  • One way to test would be to do a tcpdump at the mail server to check the incoming traffic. If you see traffic from a particular source, then you know its making it through the DSL and the out going connection is getting messed up with the 1:1 NAT. If you search for it, i ran across something a while back, about running servers behind a MultiWAN setup.



  • Ok, so your comment got me thinking, and the problem was indeed the 1:1 nat.  I could plainly see the ACK leave the mail server and then disappear into nowhere.  For future reference for anyone who reads this thread- 1:1 NAT for a single device on the LAN in a multi-wan setup won't work reliably unless one of your interfaces is already down and packets are guaranteed leave the same interface they came in on.  Good old port forwarding works just fine even when both links are functioning.


Locked