[2.1] Possible gateway issue with move to new IP's / Multi-Wan –gateway?

  • Hello pfsense guru's!

    I come to thee with a great issue!

    Okay not overly great, but one i think i know what the problem is but i am not %100 sure.

    I have PFSense 2.1, i do not want to run Multi-WAN in the end,but i think because of how i am trying to do this migration, i am semi doing Multi-WAN (no fail over)

    I have 2 IP ranges, from the same ISP.

    We are migrating over to a new C Class from a /27 range.

    WAN - > /27
    WAN2 -> /24
    LAN ->

    I do have Manual OutBound NAT enabled because i have a PBX behind this system and it was the only way it would work using static port.

    I am attempting to do a "no down time" migration to the new C Class of all the services behind this pfsense, and thus far it is going well, except for this one issue, going out all traffic only works over WAN connection.

    I have redone all of my NAT rules and all inbound traffic is coming IN via my WAN2 range, no problems there as in i can access my sites via the new ranges, the problem is outbound traffic.

    In my outbound nat rules, if i for example change my rule for www01 / server, as i am only moving 1 box at a time , current settings being for Manual Outbound NAT are:

    Interface  WAN
    Protocol TCP
    –Type    Network
    -_Dest Port any
    Translation Interface Adddress or  - works with either

    Changed to:

    Interface  WAN2
    Protocol TCP
    –Type    Network
    -_Dest Port any
    Translation Interface Adddress or

    The system has no outbound access.

    i do have an Allow all on my WAN2 for outbound just incase

    Am i right to assume this is a gateway issue? Are the LAN servers attaching them selves to the Gateway of the WAN link because it is set as the default gateway?

    if so, (after reading for the last day) can someone guide me, if posible, as to how i can have both ranges working, while using Manual Outbound nat?

  • The outbound NAT rules only tell the system what to do IF a packet needs to go out the specified interface - to what IP address, port etc to change the source details of the packet. It does not make any different routing happen.
    When you change the NAT rule, you effectively lose the previous NAT rule on WAN, so the NAT on WAN no longer works. But if you don't change the routing also, the traffic is still going out WAN, but no longer being NAT'd.
    I would keep the existing NAT rules on WAN and add a similar thing on WAN2. Then add policy-routing firewall rule/s on LAN that send the traffic from each LAN device to WAN2 gateway (as you move each one over).
    Once a LAN device is getting out OK through WAN2, then you can delete the now-unused NAT rule on WAN.
    Eventually, once everything is moved over, you can change the default gateway to WAN2, and at that time you could remove the policy-routing rules - the default gateway will now push everything to WAN2 anyway.

  • Thank you sir!

    i was hoping to have something to work with today, i had just started reading over the  Gateway settnig doc https://doc.pfsense.org/index.php/Gateway_Settings  convinved it was a gateway issue, i was about read to set my new C class as default gateway and just do damage control.

    Will check out the policy based routing firewall rules, i assume with this i just make

    Gateway as WAN2

    and of course any other options needed?

    Going to test.

    Thanks again.

  • I must be brain dead, or not woken up from the weekend yet.

    Here is what i did, testing server

    1. Firewall / Rules / LAN : (Policy based rule , i believe)

    Interface: LAN
    TCP/IP IPv4
    Procotol any  (just for testing)
    Destination any
    Advanced features
    –Gateway WAN2

    2. Firewall / NAT / Outbound
    Interface: WAN2
    Procotol any  (just for testing)
    Destination any
    Translation Interface Address

    Should i be using /32 on the outbound nat or /31 like the firewall rule?

  • That looks reasonable. /31 on the firewall rule should not matter - it will allow both .2 and .3 and policy route them to WAN2. Then the source IP should get translated to the WAN2 interface address on the way out of WAN2.
    I haven't actually tried something like this myself, so if anyone else has then please suggest what might be the problem.

  • I guess more reading!

    I may set up a 2nd pfsense box to test this on if i have time, has me curious now, no problem shall defeat me!

    i do have most of our main websites proxied and cached on other servers, so if i have to, i may just do an outage window, make the new range the default gateway and do it that way, just be nice if i can do it this way, learn something new and downtime is non-existent.

  • I have redone the rules just in case i had a blonde moment at some point but i still cant seem to force traffic out over the new WAN2 link / gateway.

  • must be an angel in disguise out there who knows what i am doing wrong here, i would say i am pulling my hair out here, but it is to short to do that  ;D

  • So i am not sure if this fixed it, or me deleting one of my other WAN links did

    I went in and madea gateway group, added my 2 WAN connections to it. my WAN as Tier 1 and my WAN2 as Tier 2,

    i then made the firewall rules and choose the gateway as my WAN2, and set my OutBound NAT as my WAN2 link and BAM things worked

    i also put the Outbound Wan rules and also the firewall LAN rules at the very top of the list.

  • i also put the Outbound Wan rules and also the firewall LAN rules at the very top of the list.

    This sounds like what fixed it - if you have a more general ordinary pass rule above the policy-routing rule, then the traffic will be passed to the ordinary routing table by the general rule. The later special rule with the policy-routing gateway specified will never come into play.

Log in to reply