Set several IP's to use a specific interface for WAN



  • Hello,
    I recently opened up a computer repair shop, and have two internet connections. One has a static IP, and I'd like to use that for my servers (PBX, Repair Tracker, User Portal, IP Cameras etc.)

    However, I also have another internet connection that is very fast (30 down, 10 up), but is not static. I'd like to keep that connection for general office computers to access the internet.

    I've tried several things, and some things have worked out, but it doesn't seem proper to me. If someone could tell me the best way to do this- I'd really appreciate it.

    Thanks everyone!


  • Netgate Administrator

    I'm assuming you have both these WAN connections routed via a single pfSense box in a multiwan setup?

    You need to use policy based routing to send traffic via the correct interface.
    For example, set the fast/dynamic WAN as the default WAN connection in pfSense. Now create a firewall rule on the LAN interface with your servers connected that will match traffic coming from the servers. Set the gateway in the rule to be your static WAN connection. Make sure to place the rule at the top of the list to match traffic before it hits the general outgoing rule.

    Steve



  • Essentially, thats what I had done.

    Here is a screenshot of my configuration:
    http://i.imgur.com/AUfqz.png

    This server runs the status system for customers to see their system repair status. It runs on port 80, and is the default webpage to be loaded via that IP. It still does not seem to be working outbound, when I load the IP address for the "WAN" (Static IP) Address.

    Thanks for your reply!

    Aaron



  • For multi-WAN, you need to adjust the NAT tab instead.  Set to manual Advanced Outbound NAT instead of Automatic.  Select the outbound interface as your Static IP 'WAN' interface and select the source as the server subnet (if the servers are on the same subnet as your LAN clients, then create an alias for all the machine IPs that need to use the static IP instead).


  • Netgate Administrator

    Hmm, care to explain that dreamslacker. Is that for inbound services?  :-\

    @T3Kn0 The firewall rule you have listed will only catch traffic from a single IP address and only on port 80 as both source and destination. It's probably not catching anything.
    You probably want to include a range of IPs for all your servers, or use an Alias for this, and leave the source and destination ports as 'any'.

    Steve



  • @stephenw10:

    Hmm, care to explain that dreamslacker. Is that for inbound services?  :-\

    @T3Kn0 The firewall rule you have listed will only catch traffic from a single IP address and only on port 80 as both source and destination. It's probably not catching anything.
    You probably want to include a range of IPs for all your servers, or use an Alias for this, and leave the source and destination ports as 'any'.

    Steve

    It's for Outbound traffic routing.
    For inbound, he should use NAT rules instead on the specific 'WAN' interface to re-direct the inbound traffic on that particular interface as per port to the respective IPs.  The Fw rule will be automatically created unless he opts out of it.


  • Netgate Administrator

    Hmm, I have setup a number of multiwan systems with policy based routing as well as load balancing and failover and have never used manual outbound NAT rules. In fact I always try to avoid switching to manual since it's something I might forget later which could cause problems.

    Following the multiwan guide (which doesn't mention NAT at all) using firewall rules to route different outbound traffic has always worked for me.

    However I'm open to some alternative method I hadn't considered.  ;)

    Steve



  • @Stephen:  I'm sure it works fine if you know what you're doing.  :)  The main concern would actually be for "server" applications that use one port for handshakes and others for data streams so to speak.

    i.e. Web server with RTSP content on a separate port.

    Having the outbound NAT configured ensures the separate ports do go out that specified interface.

    IMO, what is more important for the OP is actually setting up the inbound NAT (Port forwarding) rules.  If his inbound NAT rules are configured correctly, he shouldn't need to set PBR/ AON since the external application should already choose that specific 'WAN' via hostname resolution/ exact IP address.


  • Netgate Administrator

    I certainly agree that it's important to have internal servers respond via the same WAN they receive traffic. Opening a new connection that appears to come from a different IP could cause all sorts of trouble.

    However, as you say, the incoming WAN connection is determined by hostname resolution and port forwarding rules. If a firewall rule is in place to direct new connections via the same WAN that should not be problem.

    I guess if you had multiple hostnames on multiple WAN connections all forwarding to the same internal server that could be a problem.  :-\

    Am I missing something obvious.

    Steve


Log in to reply