Dual WAN failover and 1:1 NAT



  • I have two WAN connections.

    The idea is to have each presented to pfSense on their own NIC.

    I currently have one wan setup with a routed /29.

    Second WAN is done via ethernet and also has a /29 available (not sure of the terminology, but rather than being routed to an IP, the /29 is simply the subnet available on that wan interface).

    I already have 1:1 NAT and some manual outbound NAT rules on the existing WAN.

    What I would like to do is create 1:1 NAT for the Second WAN and use that as the main connection, only reverting to the original WAN and it's 1:1 mappings in the event that the other fails.

    Can this be done with one instance of pfSense or would I need to run two boxes with something like CARP on the LAN interface to achieve what I want?


  • Rebel Alliance Developer Netgate

    That works fine.

    For the Second WAN you will need VIPs for the external IPs of the 1:1 NAT, but otherwise it should be the same.

    Traffic that enters WAN or WAN2 will go back out the expected path.

    Traffic that is initiated from the inside will choose a path based on your gateways/groups in LAN-side rules, as it would for any other Multi-WAN setup. As it leaves a particular WAN, the 1:1 NAT for that WAN will apply on the way out.


Log in to reply