Outbound NAT with Virtual IP

  • I am currently running 2.1-release, and was running 2.0

    There are two cable MODEMs connected to my WAN interface, each on their own subnet.  I have a fixed IP for the one subnet assigned to the interface for the first cable MODEM (which is also the default gateway), and a virtual IP assigned to the interface for the second cable modem.  I have aliases set up for PCs for each cable MODEM, plus outbound traffic rules (different gateways) and NAT rules for each alias.

    pfsense em1–-fiber transciever---fiber---fiber transciever---Cable MODEM/Router 1 (default route)--- Internet
                                                                                                              \                                                              /
                                                                                                                Cable MODEM/Router 2 ------------

    Outbound traffic over the first cable modem is fine.  Traffic over the second cable MODEM stopped working when I upgraded to 2.1-Release.  It was working before the upgrade, I think I was on 2.0 before.    I can ping both cable MODEMs from the router, and traceroute shows it goes directly out the interface to the cable MODEM.

    If I run packet capture on the WAN interface filtering the IP I am trying to get to, I see the 3 outbound (web) requests (coming from the pfsense virtual IP which I think means NAT is working), but nothing ever comes back.

    If I try to get to the 2nd cable MODEM from a PC that is in the access list to go out over that MODEM I see ACK packets coming back on wireshark on the PC, but the browser times out.

    If I plug my PC into the cable MODEM directly and give it the IP address of the pfsense virtual IP I can get on the net on my PC.

    My guess is that something changed with the upgrade that broke NAT or something else when using an IP Alias.  I've tried it with "Proxy ARP" and "Other" with no luck.  Am I going to have to figure out how to do this with VLANs?  I think that means I need to introduce a switch into the configruation, but I'm not sure.

  • Update:

    I found that if I change the IP address of the Virtual IP (IP Alias), one (and only one) machine in the appropriate access list will go out over that connection, but it is NATted to the IP address of the first Virtual IP.

    I also configured the two CableMODEMs exactly the same (with the exception of the IP addresses) and can get to both of them now.