• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Port Forwarding with multiple WANs

Scheduled Pinned Locked Moved NAT
11 Posts 6 Posters 9.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    gibo
    last edited by Mar 27, 2013, 2:27 PM

    Hi to all!
    I've succesfully setting up a pfsense box with 2 WAN connection and 5 internal zones (LAN, DMZ, ecc..). The Wans actually is only in failover because the first wan has 10Mbit and the second has only 1 Mbit of bandwith.
    All work correctly but now i want to forward port from my second WAN same as the primary wan. Example:
    WAN1 -> WAN1 ip -> TCP 80 (HTTP) -> NAT TO DMZ 192.168.10.10
    and the same rule to wan2
    WAN2 -> WAN2 IP -> TCP 80 (HTTP) -> NAT TO DMZ 192.168.10.10

    When i try to connect to this port on the public ip of the WAN2 i see the connection arrives to the server but i've no response to the client. Probably server response to the connection with other gateway but without reason..
    I've seen other request on forum with this issue but i've not found a solution..

    Thank's in advance and sorry for my little english!

    1 Reply Last reply Reply Quote 0
    • C
      cpk
      last edited by Mar 27, 2013, 2:48 PM

      I've been thinking about this, too (after getting a 2nd Internet connection).  I assumed I'd have to have two internal IP addresses for each service: 1 for WAN1 and one for WAN2.  Then 1:1NAT wouldn't get confused about where to deliver the packet (if that's what's happening).  Have you thought about that?  If so, have you tried it?

      1 Reply Last reply Reply Quote 0
      • C
        crambo
        last edited by May 16, 2013, 9:41 PM

        Have you resolved this? I have pretty much same exact issue.

        1 Reply Last reply Reply Quote 0
        • C
          cpk
          last edited by May 16, 2013, 10:25 PM

          @crambo
          I never worked on this anymore because our main Internet service seems to be pretty reliable and our other Internet service is used mainly for downloads.  I haven't changed my theory, though.  I use 1-to-1 NAT for my internal servers, so I need an external address for, say, WWW on each connection.  Since those can't both point to the same internal IP address (or it wouldn't be 1-to-1), I would have my server serve the site on two addresses internally and assign one to ISP A and the other to ISP B via 1-to-1 NAT.

          1 Reply Last reply Reply Quote 0
          • C
            crambo
            last edited by May 16, 2013, 11:53 PM

            Bummer. Thanks for replying. My situ is a little different, but had you figured out the SYN_RECVD issue, I'd likely be on a right track.

            Thanks, tho!

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by May 20, 2013, 3:29 PM

              Having such NAT on each WAN works fine, provided your firewall rules and WAN config are proper.

              #1 - Make sure you do NOT use an interface group for WAN firewall rules - Rules on interface groups won't get the reply-to tag to ensure the return traffic exits the proper WAN. Make the rules on the actual WAN/WAN2 tab.

              #2- Make sure the firewall rule(s) do not have the box checked to disable reply-to.

              #3- Make sure the master reply-to disable switch is not checked, under System > Advanced, on the Firewall/NAT tab.

              #4- Make sure your WAN and WAN2 interfaces have a gateway selected on Interfaces > WAN/WAN2, not having a gateway selected on the Interface page will also make the system omit reply-to on the rules.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • C
                crambo
                last edited by May 20, 2013, 5:34 PM

                #4 was my issue. Thanks for the clarification!

                1 Reply Last reply Reply Quote 0
                • K
                  kathampy
                  last edited by Jul 22, 2013, 9:10 AM Jul 22, 2013, 4:57 AM

                  I have this same problem except my second WAN interface is a double NAT. I don't understand whether I should disable reply-to in this case. The port forwards have been replicated on the NAT modem to forward to the second WAN interface and the gateway for the second WAN interface is set to the modem. The port forward only works if I change the default gateway on pfSense to the second gateway. It looks like the reply-to isn't working correctly on a double NAT.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate
                    last edited by Jul 22, 2013, 4:32 PM

                    reply-do doesn't care about double NAT or public/private IPs.

                    The four points I posted above are all that really matter.

                    It works fine everywhere I use it, and I set it up multiple times per week for customers and never have a problem so long as the configuration is set as I stated.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • K
                      kathampy
                      last edited by Jul 22, 2013, 5:21 PM

                      I got it working. My second double NAT gateway is actually a modem on LAN2. I didn't realise my "* to *" on LAN2 through WAN gateway was preventing the associated port forward rules from executing at all. I changed it to "LAN2 subnet to *".

                      1 Reply Last reply Reply Quote 0
                      • M
                        McGlenn
                        last edited by Oct 14, 2013, 10:33 PM

                        Hi Jimp

                        @jimp:

                        Having such NAT on each WAN works fine, provided your firewall rules and WAN config are proper.

                        #1 - Make sure you do NOT use an interface group for WAN firewall rules - Rules on interface groups won't get the reply-to tag to ensure the return traffic exits the proper WAN. Make the rules on the actual WAN/WAN2 tab.

                        #2- Make sure the firewall rule(s) do not have the box checked to disable reply-to.

                        #3- Make sure the master reply-to disable switch is not checked, under System > Advanced, on the Firewall/NAT tab.

                        #4- Make sure your WAN and WAN2 interfaces have a gateway selected on Interfaces > WAN/WAN2, not having a gateway selected on the Interface page will also make the system omit reply-to on the rules.

                        Great post, thank you for this. It provided me with the needed pointer to make this work for us.

                        The only thing I had to do different to make this work, is not select a gateway for the individual rules. With a gateway for the individual rules, it created route-to rules (pfctl -sr), without it creates reply-to rules. We are running 2.1-BETA1 snapshot from 1 April.

                        I do have a gateway selected on the interfaces pages.

                        Thanks again

                        McGlenn

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          [[user:consent.lead]]
                          [[user:consent.not_received]]