Multiple WAN - One Lan - problems with NAT



  • Hi,

    I am a newbie with pfsense, but I think it could solve some of my current issues. I have tried a lot of the solutions on this forum, but none of them seems to work for me.

    I have a cable internet connection. This cable modem is giving me 4 public dynamic IP adresses (DHCP). All of them seems to have the same gateway etc. The lease time for these DHCP adresses is about 1 year.

    I am about to host 3 virtual machines that require seperate internet valid IP adresses for among others port 443. I can not change these ports. This means that I would like to use 3 of my IP adresses for these servers, and then use my last IP adress for everything else of Internet traffic. I have been looking into 1:1 NAT, but I do not want to open all ports through the router, only a few of them for each WAN interface.

    I am simulating the solution in VMware before I put the solution into "production" in my homelab.
    As of now I have created 4 WAN interfaces and one LAN interface. These are named WAN, WAN2,WAN3, WAN4 and LAN.

    I am simulating this configuration by using a regular DHCP server and a virtual machine running FileZilla.
    My problem is that I am only able to do NAT on the port named "WAN". Whenever I try to change to a different WAN port the NATing does not work anymore.

    The setup is like this now:
    WAN (10.0.0.50)
    WAN2 (10.0.0.51)
    WAN3 (10.0.0.52)
    WAN4 (10.0.0.53)
    pfsense (192.168.1.100)
    Virtual machine (192.168.1.10)

    If I do a normal NAT of port 21 from WAN to Virtual machine it works great. Whenever I try to cange the NAT rule to any of the other WAN ports it does not work.

    The total picture I would like to achive is
    WAN (10.0.0.50) -> Port 443 -> Virtual machine 1 (192.168.1.100)
    WAN (10.0.0.51) -> Port 443 -> Virtual machine 2 (192.168.1.101)
    WAN (10.0.0.52) -> Port 443 -> Virtual machine 3 (192.168.1.102)
    WAN (10.0.0.53) -> All machines on the network with regular internet connection

    All my virtual machines are VMware appliances so it is impossible for me to add a second IP adress to them.

    I will ofcourse change the WAN adresses to the public IPs as soon as I manage to get the NATing to work properly.

    I would really appreciate some help or a push into the correct direction for more information.

    Thanks!



  • you can't have 4 wan's with the same gateway

    options are:

    -assign virtual ip's for your dynamic ip's (best to ask you isp to route them statically)
    -put multiple cheap routers in front of pfsense



  • Hi,

    Thank you for your reply. So basically, if I make 4 different pfsense machines virtualized with their seperate networks and virtualized networks I can make one router with one internal gateway?



  • Because you have a single gateway for all the WANs that you are using, your config will not work.
    You will need to add a NAT device of some sort before each of the WANs on pfSense and forward all the ports on those devices to pfSense.
    If you want to do this in a lab, it will look something like this.

    ISP Modem
        |
        |
    vSwitch
        |    |    |    |
        |    |    |  NAT1 – WAN1
        |    |  NAT2 -- WAN2    |
        |  NAT3 -- WAN3    |    |
      NAT4 -- WAN4    |    |    |
                        |    |    |    |
                      [pfSence Firewall]
                                |

    At this point, since you are using only one physical connection, your gateway needs to be set to the NAT device that you want to use the public IP of.
    You will need to create Virtual IPs for each of the Public IPs that you need to use.
    Then configure all of your rules.

    I am not sure how Virtual IP will act with dynamic Public IPs. Maybe someone more knowledgeable can help.



  • Update:
    You can't have VIP working with Dynamic WAN addresses. AFAIK


Locked