Trying to understand NAT when pfSense is not default gateway

joppybt · Sep 21, 2014, 1:52 PM

In our setup we have two WAN addresses. An old physical router is listening to one address and pfSense (2.1.5) is listening to the other address. The physical router is (still) the default gateway for the LAN.

We have a domain name where the url points to the pfSense external ip and we NAT that to a webserver on the LAN.
The problem: I can get this to work only when I change the default gateway on the webserver to point back to pfSense.

To some extend I can understand this: packets have to return through the same ip as they entered the LAN. What I however do not understand: what is the role of 'reply-to' in the firewall rules? Is that not supposed to solve this problem?
(wild guess: reply-all will only help when both WAN adresses are handled by the same pfSense, not when one address is handles by a different router?)

Second question: before pfSense we had an ISA-server doing the NAT for the internal webserver. It did not have a problem with the gateway being to a different IP address. I found out this worked because of a checkbox 'Make requests appear to originate from this ISA server' which replaced the ip-address so that the website sent the answer back to the ISA server. Is there an equivalent feature in pfSense?

johnpoz · Sep 21, 2014, 2:19 PM

ISA is a proxy.. Using NAT is not the same thing as a proxy.. You could install one of the packages that allows for reverse proxy - one of those might have the setting your ISA did.

Why don't you just put both wan connections on the pfsense box as how to solve this?

Or have the webserver use psfsense as its default gateway if that is where the traffic comes in. If you go out the other router you have a asynchronous routing issue.

joppybt · Sep 21, 2014, 5:53 PM

@johnpoz:

ISA is a proxy.. Using NAT is not the same thing as a proxy.. You could install one of the packages that allows for reverse proxy - one of those might have the setting your ISA did.

The squid3 reverse proxy seems to rewrite the source address like ISA so that might be the solution. I will look into that.
But it seems to only apply to http-trafic. If I wanted to use port 22 for SSH it might not help?

Why don't you just put both wan connections on the pfsense box as how to solve this?

Or have the webserver use psfsense as its default gateway if that is where the traffic comes in. If you go out the other router you have a asynchronous routing issue.

Having pfSense handle all WAN addresses is my end goal and will probably solve my problems. For the time being however I am stuck with the current multi-WAN.
(we have 10 VOIP phones that connect directly to an external VOIP provider. This works fine with our old and simple WRT54G router but fails with more modern routers. It makes me very hesitant to switch them to pfSense. I have yet to try the siproxd package)

Am I correct that the 'reply-to' feature of the firewall only applies to the multi-WAN where pfSense handles all addresses?