Setting Outbound NAT on separate interface for specific internal IPs



  • Hello!

    I have a new-ish pfSense system (replacing some outdated dedicated firewall systems) and am loving it so far.

    However, I have a minor problem I can't seem to figure out.

    We have two WAN connections, and one is going away.  I need to be able to move outbound NAT for certain servers over to the new link one at a time (a lot of the outside services we access requires us to be white-listed so I want to move stuff over one piece at a time rather than all at once).

    What I've done is configured the two WAN interfaces and LAN  interface.  The first WAN interface (old, slow ISP) has a gateway and has default gateways checked.  The second WAN (new, fast ISP) has a gateway, but default gateway is not checked.

    Under outbound NAT, I've added a new rule at the top of the list that looks like:
    WAN2 10.1.0.120/32 * * * [WAN2IP] * NO

    (source 10.1.0.120/32, port, dest, dest port all *, NAT address WAN2's IP, Nat port *, Static Port No)

    I would expect that this rule would the make all outgoing traffic from 10.1.0.120 go to WAN2 instead of WAN, but the outgoing traffic is still NAT'd by the second rule instead.

    Since all other rules in pfSense seem to run from top to bottom, I made that assumption here as well.

    Any advise would be appreciated.

    Thanks!
    -S



  • The outbound NAT entry just means that IF there are any packets from that source IP exiting WAN2, THEN they will be NAT'd on the way out.
    Now you need to get the routing to actually send packets out WAN2. That is policy-routing. Add a rule up the top of Firewall->Rules, LAN, to pass source IP 10.1.0.120/32 destination any gateway WAN2GW.
    The gateway selection is in the advanced firewall rules section when adding a rule.



  • You are a gentleman and scholar sir.

    That was it exactly.

    Thank you for your help!

    -S


Log in to reply