Multi wan interface groups not available for NAT port forwarding



  • i just noticed that if i use 2 WAN connections in a fail over manner, i can create interface groups for them but they dont appear under NAT port forward so cant create port forwarding to both WANs at once, still need to add per interface, is this be design or its a bug?


  • Rebel Alliance Developer Netgate

    Interface groups do not work well with WANs, so that hasn't been looked into.

    Rules on a group tab do not get reply-to, so the traffic will not travel back via the WAN it entered. It will always leave by the default gateway.

    The only place that they do work is in a failover-only scenario with BGP where the default route does actually change from one WAN to the other and only one should work at a time.

    If you want them to work independently, then you can't use a group.



  • probably a GUI solution to this could be allowing to to create NAT entries using interface group but actually creating entries in the firewall rules per interface who are in the group, this way u dont need to have so many entries under NAT for each interface


  • Rebel Alliance Developer Netgate

    yes we have considered that but it would be a major change to the underlying code. It isn't quite that simple. Interface group support is built into the OS and we simply build off of that.

    I believe there is already an existing ticket in redmine for it somewhere. It may change in 2.2, it may not.

    Floating rules have the same limitation if they attach to multiple interfaces.



  • @xbipin:

    i just noticed that if i use 2 WAN connections in a fail over manner, i can create interface groups for them but they dont appear under NAT port forward so cant create port forwarding to both WANs at once, still need to add per interface, is this be design or its a bug?

    Hello,

    How do you use NAT in multi WAN scenario.
    What I want: in case of a failure of one WAN,  the NATing will have to change according to which WAN connection i up.
    otherwise the packets leaving the router to the wrong ISP will not be able to be routed by the relevant ISP(wrong nat).

    How do you create port forwarding rules from the same LAN private ip to  different wan public ips?
    For example: I have 2 WANs with 16 public ips each
                                              In my WAN1 connection I let my LAN users go out from WAN1_StaticIP_10th
                                            and in my WAN2 connection let the LAN users NAT to WAN2_StaticIP_8th
                              I use manual outbound rules for that. I use some 1:1 rules for my webservers in DMZ.
                              Up to here everything works fine. I cannot figure out how to use manual outbound NAT with multiWAN.

    1)  You say "port forwarding to both WANs at once".
                      Do you refer  to NAT-forwarding or manual advanced NAT-oubound rules?

    Are these 2 manual NAT possible?
                              source                  dest          dest port                NAT address                     
                                LAN                          *                    80            WAN1_StaticIP_10th         
                                LAN                          *                    80              WAN2_StaticIP_8th

    Will the above together with a
                            MultiWAN setup (group in TIER1 categories and firewall rule using the group as gateway)
                            work and guarantee that after  failover I will be able to NAT?

    2)  What about a Email server in my DMZ (static NAT)? May I have 2 lines for every LAN address in NAT1:1rules  (similar to the above)?
                    I have requested to add 2 addresses in the MX records with the same priority (one the WAN1_staticIP_6th + WAN2_staticIP9th).

    If (1) and (2) cannot be done should I use second IPs in LAN and DMZ hosts and have
    one  for the WAN1 and one for the WAN2?

    Sorry in advance for being too verbose or too idiot….
    Michail


Log in to reply