Outbound NAT : Working only on the first interface

Raks

pfSense Version : 2.1.4-RELEASE(amd64)

Hello everyone,
I have a problem with Outbound NAT
It's on a ESXi server, at OVH

I have 2 RIPE blocks of /30 (4 IP)
They each got a virtual MAC adress who is attributed by OVH

Each IP is an adapter in esxi, each one with their OVH MAC (00:50:56:xxx)

So in pfSense I have :
em0 + em1 : LAN
em2 + em3 + em4 + em5 + em6 + em7 + em8 + em9 : WAN

For the em2 to em9 interfaces, I got a startup script who is adding routes
to the OVH gateway :
route add -net 3FIRSTBLOCKSOF-ESXIIP.254 -iface em2
route add default 3FIRSTBLOCKSOF-ESXIIP.254

Rinse and repeat for every other WAN interface (em3, em4, etc)

I got NAT from outside working to LAN ip, which is great

But the problem as stated is for outbound NAT
I want to set a default rule for my LAN block : 172.16.0.0/12 for outgoing
from the first interface, and for individual LAN ip, maybe another outgoing
IP from other em WAN interfaces

The main concern is.. for testing, if I set a outbound NAT with the first
WAN interface (em2) for all my LAN netblock (172.16.0.0/12), all is going
great.. I'm getting internet on my LAN clients

At the moment I select another outgoing interface in the dropdown menu "Interface",
internet is dropping from my LAN clients and when I make traceroutes I can go
to the pfsense gateway but after there is only * * * in the traceroute for 30 hops.

Any idea what is happening ?

Sorry, I searched but didn't find any interesting results.
I'm a begineer in pfSense, I was using Shorewall before and used masq file and all
was going great

Thanks for considering my question

Regards,
Tom

cmb

It's still going out the same way, just not being NATed after you moved the NAT rule. NAT strictly defines translations, when traffic is on X interface, do Y. It has no influence on where traffic goes. The recording of the last hang out would probably be useful, as I walked through that type of scenario with multi-WAN NAT. Also gone through in great detail in the 2.1x book. Both available for immediate download after purchase of gold subscription. https://portal.pfsense.org/gold-subscription.php

Though your scenario is a bit unusual because of the way things work with OVH. You don't actually have multi-WAN in this case. Just NAT using the additional WANs' IPs, but using only WAN as that should be your only egress interface in that situation.

There may be additional complications inherent in that setup because of the weird deal of adding NICs to add IPs (which doesn't happen in most any other scenario), as you're going to end up with asymmetric traffic. That gets potentially very complicated depending on specifics, more than I have time to get into here. Definitely something we could go over with you in detail under our support subscription. Nothing insurmountable, it's just complicated because of OVH's setup.

Raks

Hello cmb,

Thanks for your answer

I'll get a second look
and
I'll ask my CFO about the paid support subscription ;-)

Regards,
Tom

pamaxa

Hello Raks,
I've faced with the same problem.

If you have some info share it please.

Thank you.

Regards,
Roman.

ramroum

Hi there,

Have you found a solution to your problem ? I'm in the same scenario. I've got an OVH Server 4 Failover IP, 4 WAN interfaces on pfsense.

All my outbound traffic goes out through the first WAN1 Interface. I've tried outbound natting but my traffic won't go out from interface WAN2 or others.

If you've found a solution that would be great !

Cheers,

Ram