PfSense as multi-WAN load balancer in front of Watchguard

  • Hello, first post and I hope you can help.  I'm sure it's an easy answer but I haven't found it yet!

    I have a Watchguard XTM cluster that has connections to two ISPs already and is doing load balancing/failover for the WAN interfaces.  I also am using the Watchguard for branch office VPNs to our other offices, AWS and some partners.

    The XTM devices have 7 ports, all but one of which were in use.

    We recently added some Comcast Business Class connections (3) to gain some additional cheap bandwidth while maintaining our existing expensive but SLA'ed connections.

    Since the Watchguards don't have enough ports, I took an older Watchguard X1250e and installed pfSense on it.  So far I have the 3 connections working as follows:

    Public IPs -> 1-to-1 NAT -> private IPs -> Watchguard and pfSense is load balancing the 3 Comcast connections properly.

    Now I want to utilize the Comcast connections to provide additional VPN endpoints.

    How do I SNAT one of the public IPs through the pfSense box through to the Watchguard so that it can be the VPN endpoint?

    I found on the freeBSD resources where they mention that it is available: but I wasn't sure how to do this in pfSense.  Can anyone please explain?

    Alternately, I wonder if I can use the NAT'ed private IP as the VPN endpoint?

    Thanks so much for your expert assistance!

  • After doing some more thinking and reading, I believe that I do not want to utilize NAT at all for this - I think instead that I should split off a portion of my public subnets and route them instead to the LAN interface so that the public IPs will be available for the Watchguard cluster to consume.

    If anyone knows how to do that I'd appreciate the help but meanwhile I'll keep playing with it.


  • Found the answer, I think and documenting for anyone else:

    Bridge external interfaces / LAN interface

    Create Rule on each external interface to allow any traffic from any external to the external subnet and a rule for outbound communication from LAN on each of the external interfaces

    IP the Watchguard interface with public VIPs from the external interfaces subnets

    Now pings are able to go through from public networks through the pfSense to the Watchguard without NAT.

    Also Multi-WAN LB is working.


Log in to reply