NAT on dual WAN



  • Hi! I've this problem. I've setup pfsense 1.2-BETA-1  in a dual wan scenario, enabled advanced nat for the local lan via both wan. Now if i setup a firewall rule to let an inside host goes through one specific wan (not the default one), it goes ok and it is natted with the ip of the firewall. Now if i put a 1:1 nat, to use another virtual ip (i've put that ip as proxyarp in the virtual ip) of that wan subnet, and check the host ip through a web page, it does not load and goes in timeout. If i remove the 1:1 nat mapping it gets the firewall ip. Is it possibile to redirect with a firewall rule an internal host and use a different nat mapping than the default one? Thanks a lot.



  • I do this with port forwards from each wan, not 1-1 nats. Then go to Firewall, NAT, Outbound. Create rules like:
    WAN  192.168.10.20/32 * * * 12.12.12.12 * NO
    WAN2 192.168.10.20/32 * * * 61.62.63.64 * NO

    Now the outbound traffic from 192.168.10.20 will source from the specified addresses instead of the WAN or WAN2 addresses.



  • Ummhh…. What do you mean? What i'm trying to do is having the possibility to choose from which wan to go out on internet from a specific internal host, and also nat it, choosing from one of the virtual ip (proxy arp) defined. I've two entries in advanced outbound nat, for both the wan (so that the lan segment can be natted with both the wan line), and a firewall rule that define one of the wan isp as the default gateway for a specific internal host. If i put also a one-1-one nat to use another virtual ip other than that defined by the two advanced outbound nat rules (the firewall ip), the internal host is not able to go out on the internet. This is my problem. Sorry for the long description...



  • That's what I was explaining. But maybe I'm not following you. I'll tell you what I thought you meant using the previous bogo example ips.

    1. You have a host on the LAN, which we will say is at 192.168.10.20
    2. You want to force this host to use a specific WAN connection.
    3. You perhaps want to have services, like a mail server, on the box Internet accessible.
    4. You want to have the mail server answer on a separate ip from your WAN interface. We will use 12.12.12.10 for your WAN ip and 12.12.12.12 as the ip you want the mail server to have.
    5. You want traffic from the host to originate from 12.12.12.12, not 12.12.12.10

    So, for #2 you would create a firewall rule on the LAN, before the default lan> any:

    • 192.168.10.20 * * * (gateway of WAN)
      For #3, you would use NAT, Port Forward to forward the traffic from the WAN.
      #4 make sure to pick the correct VIP under external address.
      #5, use the outbound nat rule previously described.

    If this is not what you want to do, you are going to have to retype your problem, but type very slowly and use a larger font, so I can follow along.



  • Hi! I've uploaded a pic of my advanced outbound nat and firewall rules, that contains nat rules for the lan subnet, to be able to go out using the two wan ip when using firewall rules and different gateways, and two rules that map a specific host to a specific virtual ip (proxy arp) defined, so that when i put a firewall rule, that host is mapped to that specific ip either when using wan or wan2. When no firewall rules that force the host 192.168.11.252 to go out with wan2 is defined, that host goes out using wan and is mapped correctly using the specific rule with a different virtual ip of the wan subnet (not the firewall ip). But if i put a firewall rule that force that internal host to go through wan2, the host is not able to ping/browse etc. If i remove the map for wan2 from aon, than the host work again but use the wan2 firewall ip.

    What i want to do is that some times, i would like that host A, use wan2 and be mapped to a virtual ip (proxy arp), different from the wan2 firewall ip address. Host A may not be a server, but just a client that i want to use wan2 and that particular public ip.

    Any suggestions? Thx




  • I'm here again….. :D I've done some testing and it seems, that both 1:1 nat and advanced outbound nat, do not work for the opt interface (wan2 in my case) in this case: when using a firewall rule that impose an internal host to use the wan2 (opt1) interface as default gateway, if in aon exists only the two rule that nat the lan subnet for both the wans, everything  works fine. If i add in 1:1 or aon a rule that also map the internal host with a different virtual ip (proxy arp) defined, the host cannot communicate with internet anymore. If i remove that specific rule, it works again but the host is mapped with the the wan2 firewall ip. Using tcpdump, i see the request coming out from wan2 firewall interface with the correct virtual ip, but no response is coming from the internet!

    Does anyone have a tip for resolving this strange behavior? Thanks



  • The rules you posted look correct to me. Here are some random thoughts:
    IIRC, 1-1 NATs on multi-WAN restrict you to whatever WAN you made the 1-1 on. I avoid them on multi-WAN and instead use port-forwards from each WAN instead. Try it without the 1-1.
    There might be an issue with the routing of your IPs. Rare, but I've seen it before. If you remove the VIP that's not working for you and static onto a box parallel to the firewall, does it work? IE- get a laptop and connect it to the public router (with a hub, whatever) along with the firewall, put the public IP on it and see if it's getting out…



  • Thanks for replying  ;D. I will check with my laptop as soon as i can. The strange fact is that in doesn't work only for the wan2 gateway (opt1 interface). Both 1:1 an aon work with the standard wan interface. And it should work, because if i setup a failover pool with both the wan interface, and i want to use specific mapping with virtual ip when going out from certain internal hosts, if wan1 goes down, that specific host try to goes out with wan2 with that spicific 1:1 or aon ip and fails. But this maybe is another topic!! Checking wan2 router with a laptop can be a good idea. When you talk about port mapping, you mean only if I'm trying to forward some port from outside to local server and not if i just want to choose the gateway and public ip address to go out with, am i right?

    Thanks again.



  • Yeah, you wouldn't need the port-forward if you didn't want to make any services on the box available via the outside. The gateway and outbound public would be handled via the firewall/NAT rules.


Log in to reply