Port Forwarding with multiple WANs

gibo · Mar 27, 2013, 2:27 PM

Hi to all!
I've succesfully setting up a pfsense box with 2 WAN connection and 5 internal zones (LAN, DMZ, ecc..). The Wans actually is only in failover because the first wan has 10Mbit and the second has only 1 Mbit of bandwith.
All work correctly but now i want to forward port from my second WAN same as the primary wan. Example:
WAN1 -> WAN1 ip -> TCP 80 (HTTP) -> NAT TO DMZ 192.168.10.10
and the same rule to wan2
WAN2 -> WAN2 IP -> TCP 80 (HTTP) -> NAT TO DMZ 192.168.10.10

When i try to connect to this port on the public ip of the WAN2 i see the connection arrives to the server but i've no response to the client. Probably server response to the connection with other gateway but without reason..
I've seen other request on forum with this issue but i've not found a solution..

Thank's in advance and sorry for my little english!

cpk · Mar 27, 2013, 2:48 PM

I've been thinking about this, too (after getting a 2nd Internet connection). I assumed I'd have to have two internal IP addresses for each service: 1 for WAN1 and one for WAN2. Then 1:1NAT wouldn't get confused about where to deliver the packet (if that's what's happening). Have you thought about that? If so, have you tried it?

crambo · May 16, 2013, 9:41 PM

Have you resolved this? I have pretty much same exact issue.

cpk · May 16, 2013, 10:25 PM

@crambo
I never worked on this anymore because our main Internet service seems to be pretty reliable and our other Internet service is used mainly for downloads. I haven't changed my theory, though. I use 1-to-1 NAT for my internal servers, so I need an external address for, say, WWW on each connection. Since those can't both point to the same internal IP address (or it wouldn't be 1-to-1), I would have my server serve the site on two addresses internally and assign one to ISP A and the other to ISP B via 1-to-1 NAT.

crambo · May 16, 2013, 11:53 PM

Bummer. Thanks for replying. My situ is a little different, but had you figured out the SYN_RECVD issue, I'd likely be on a right track.

Thanks, tho!

jimp · May 20, 2013, 3:29 PM

Having such NAT on each WAN works fine, provided your firewall rules and WAN config are proper.

#1 - Make sure you do NOT use an interface group for WAN firewall rules - Rules on interface groups won't get the reply-to tag to ensure the return traffic exits the proper WAN. Make the rules on the actual WAN/WAN2 tab.

#2- Make sure the firewall rule(s) do not have the box checked to disable reply-to.

#3- Make sure the master reply-to disable switch is not checked, under System > Advanced, on the Firewall/NAT tab.

#4- Make sure your WAN and WAN2 interfaces have a gateway selected on Interfaces > WAN/WAN2, not having a gateway selected on the Interface page will also make the system omit reply-to on the rules.

crambo · May 20, 2013, 5:34 PM

#4 was my issue. Thanks for the clarification!

kathampy · Jul 22, 2013, 9:10 AM

I have this same problem except my second WAN interface is a double NAT. I don't understand whether I should disable reply-to in this case. The port forwards have been replicated on the NAT modem to forward to the second WAN interface and the gateway for the second WAN interface is set to the modem. The port forward only works if I change the default gateway on pfSense to the second gateway. It looks like the reply-to isn't working correctly on a double NAT.

jimp · Jul 22, 2013, 4:32 PM

reply-do doesn't care about double NAT or public/private IPs.

The four points I posted above are all that really matter.

It works fine everywhere I use it, and I set it up multiple times per week for customers and never have a problem so long as the configuration is set as I stated.

kathampy · Jul 22, 2013, 5:21 PM

I got it working. My second double NAT gateway is actually a modem on LAN2. I didn't realise my "* to *" on LAN2 through WAN gateway was preventing the associated port forward rules from executing at all. I changed it to "LAN2 subnet to *".

McGlenn · Oct 14, 2013, 10:33 PM

Hi Jimp

@jimp:

Having such NAT on each WAN works fine, provided your firewall rules and WAN config are proper.

#1 - Make sure you do NOT use an interface group for WAN firewall rules - Rules on interface groups won't get the reply-to tag to ensure the return traffic exits the proper WAN. Make the rules on the actual WAN/WAN2 tab.

#2- Make sure the firewall rule(s) do not have the box checked to disable reply-to.

#3- Make sure the master reply-to disable switch is not checked, under System > Advanced, on the Firewall/NAT tab.

#4- Make sure your WAN and WAN2 interfaces have a gateway selected on Interfaces > WAN/WAN2, not having a gateway selected on the Interface page will also make the system omit reply-to on the rules.

Great post, thank you for this. It provided me with the needed pointer to make this work for us.

The only thing I had to do different to make this work, is not select a gateway for the individual rules. With a gateway for the individual rules, it created route-to rules (pfctl -sr), without it creates reply-to rules. We are running 2.1-BETA1 snapshot from 1 April.

I do have a gateway selected on the interfaces pages.

Thanks again

McGlenn