Failover and 1:1 NAT

  • Hi! What type of configuration i've to do (in case it is possible), after i've successfully created a failover with dual wan, when i've a host on my lan that is mapped using a 1:1 NAT configuration. When the primary lines goes down, this machine can ping an internet ip address and tracing routes show that wan2 is taking place of the primary wan, but browsing does not work. Is it just a matter of placing a second 1:1 NAT mapping to use a public ip address from the wan2 pool? Thanks.

  • AFAIK, You cannot use 1:1 NAT with multiple WANs. Port-forwards on both WANs and advanced outbound NAT rules will work, and comes close to the functionality of a 1:1.

  • Ok,so to let a single host always use the same public ip i can use an entry in advanced outbound nat instead of 1:1 nat. But can i make two entries one for both public subnet of wan1/wan2 so that when wan1 fails to wan2, the host use the other mapping using a public ip from wan2 pool?

  • I've setup advanced outbound nat, vip and port forward, to connecto to the same internal host, using both the wans with the proper pubblic ip. But i cannot connect to the host from outside using wan2 public ip configured as a vip. I've configured two advanced outbound nat entries each one with a public ip from the respective wans pool.

    Any suggestions?

  • what about firewall rules? You need firewall rules on WAN2 also.

  • I've done this lots of times, it should just work.
    Here are a couple of things to double-check:
    VIPs are added to correct interface.
    AON references WAN2 and WAN2 VIP
    AON rules for host are before rules for subnet
    Port forward has correct interface and VIP
    Firewall rule allowing traffic on correct interface (should be auto-created)

  • Thanks a lot dotdash! I doubled checked all the steps, and now it works perfect! This is my 4th pfsense deployment, and i think that I'm going to replace all of my customers linux based firewalls, because i think that pfsense deserve. cya

Log in to reply