How to configure multiple WANs on one Uplink



  • Hi all,

    I'm very new to pfSense, but got requested to configure one for the company.

    I've almost got everything configured, but am stuck at how to let all our WANs
    go through one uplink address. From what I am hearing, this should be possible
    to accomplish. I've tried looking it up on both the pfSense Guide as well as
    the forums, but since I can't find a related situation to mine, I hereby ask you
    guys for some help.

    What it looks like now (with example WAN IP's):

    WAN1: 000.000.000.58 with internal IP addresses on LAN1: 192.168.1.1 - 192.168.1.245
    WAN2: 000.000.000.61 with internal IP addresses on LAN2: 192.168.2.1 - 192.168.2.245
    WAN3: 000.000.000.59 with internal IP addresses on LAN3: 192.168.3.1 - 192.168.3.245

    The way I have it set up now is as follows:

    -First I configured all the interfaces, whereas I now have 3 WAN interfaces with Static IPv4
    addresses configured. Example: WAN1 interace has a static IP of 000.000.000.59 and an
    IPv4 Upstream Gateway: 000.000.000.57 (which would be the broadcast address for all WANs).

    The problems start right here, because I can't add this address to anymore interfaces, because "it
    already exists", but isn't selectable from the drop-down menu. This is one of the reasons why we
    want one WAN interface to handle all three of our WAN addresses with one uplink address.

    So the question in short: is there a way to have one uplink/upstream address for all WANs.
    And if so, is there also a way to have just one WAN interface and three LAN interfaces in the
    following way:

    WAN interface must have an uplink/upstream gateway of: 000.000.000.57 for the following
    WAN addresses: 000.000.000.58, 000.000.000.59 and 000.000.000.61 whereas

    WAN1: 000.000.000.58 = for LAN1 interface w/ internal range of: 192.168.1.1 - 192.168.1.245
    WAN2: 000.000.000.61 = for LAN2 interface w/ internal range of: 192.168.2.1 - 192.168.2.245
    WAN3: 000.000.000.59 = for LAN3 interface w/ internal range of: 192.168.3.1 - 192.168.3.245

    WAN interface is not going to get a DHCP function, because it needs to be all three of the
    WAN addresses. The LAN interfaces are going to get the DHCP function for the ranges listed above.

    In other words

    • all traffic from the 192.168.1.x range must go through the WAN interface as
      000.000.000.58 and then through the uplink of: 000.000.000.57

    • all traffic from the 192.168.2.x range must go through the WAN interface as
      000.000.000.61 and then through the uplink of: 000.000.000.57

    • all traffic from the 192.168.3.x range must go through the WAN interface as
      000.000.000.59 and then through the uplink of: 000.000.000.57

    Can this be done, yes or no?

    If you need any more information, feel free to ask and I'll happily elaborate.

    Thank you very much in advance!

    Grtz,

    Jeff



  • You need to use manual outbound Nat.

    One WAN interface and multiple LAN interfaces.

    First get down to 1 WAN connection.

    Second create Virtual IPs for the other IPs that you need on the WAN connection.

    Firewall -> Virtual IPs

    Create IP Alias for the other WAN IPs

    Third Create manual outbound NAT rules.

    Firewall->NAT and then the Outbound Tab.



  • Hi Jammcla,

    Thanks for your input, however I've been told that I should rephrase my question in
    order to get good replies.

    So what we want is to have just one WAN interface to carry over 3 WAN ip adresses

    (in total 4, since the interface needs one as well).

    WAN interface static IP: xxx.xxx.xxx.62
    WAN distributed IP1: xxx.xxx.xxx.58 which would need to be connected to LAN

    interface 1, which should have DHCP on for a range of 192.168.1.10 to 192.168.1.245
    WAN distributed IP2: xxx.xxx.xxx.59 which would need to be connected to LAN

    interface 2, which should have DHCP on for a range of 192.168.2.10 to 192.168.2.245
    WAN distributed IP3: xxx.xxx.xxx.60 which would need to be connected to LAN

    interface 3, which should have DHCP on for a range of 192.168.3.10 to 192.168.3.245

    What I've done so far:

    I've configured the WAN interface as follows:

    Static IPv4
    IPv4 address: xxx.xxx.xxx.62
    IPv4 Upstream Gateway: xxx.xxx.xxx.57
    IPv6 none.


    I've configured the LAN interfaces as follows:

    Static IPv4
    IPv4 address: 192.168.1.1*
    IPv4 Upstream Gateway: none

    *for lan2 i've used 192.168.2.1 and for lan3 i've used 192.168.3.1


    Services>DHCP server

    WAN interface: disabled

    LAN interfaces: enabled, only filled in the ranges accordingly (i.e. for lan1

    192.168.1.10>192.168.1.245, for lan2 192.168.2.10>192.168.2.245, for lan3

    192.168.3.10>192.168.3.245).


    Made 3 virtual IP's:

    Type: Proxy ARP
    Interface: WAN
    IP Address(es): Type: Single
                          Address: xxx.xxx.xxx.58

    Type: Proxy ARP
    Interface: WAN
    IP Address(es): Type: Single
                          Address: xxx.xxx.xxx.59

    Type: Proxy ARP
    Interface: WAN
    IP Address(es): Type: Single
                          Address: xxx.xxx.xxx.60


    Last but not least, I configured the Outbound NAT as follows:

    Interface: WAN
    Proto: any
    Source: Type: Network
        Address: 192.168.1.0/24
    Destination: any
    Translation: xxx.xxx.xxx.58

    Interface: WAN
    Proto: any
    Source: Type: Network
        Address: 192.168.2.0/24
    Destination: any
    Translation: xxx.xxx.xxx.59

    Interface: WAN
    Proto: any
    Source: Type: Network
        Address: 192.168.3.0/24
    Destination: any
    Translation: xxx.xxx.xxx.60

    I know I've either done something wrong or I've forgotten about something,
    because what's happening now is that I can ping nearly every address from my
    LAN1 interface (which has the 192.168.1.1 range) but not from the other LAN
    interfaces.

    Example: from LAN1 interface I can ping the following addresses:

    xxx.xxx.xxx.62
    192.168.1.1
    192.168.2.1
    192.168.3.1

    Another thing that is happening is that I can use all three
    gateways on the LAN1 interface to get into the WebConfigurator
    (so instead of just being able to connect via 192.1368.1.1, I can
    also connect using 192.168.2.1 and 192.168.3.1).

    Now, when I switch interface however to LAN2 or LAN3, I am
    not able to ping any IP adres, not even the "gateway" addresses
    and I can't log into the WebConfigurator.

    Example:

    From the LAN2 interface (with range 192.168.2.10>192.168.2.245)
    I can't ping the following addresses:

    xxx.xxx.xxx.62
    192.168.1.1
    192.168.2.1
    192.168.3.1

    Also, now I can only log into the WebConfigurator via 192.168.2.1, not via 1.1 or

    3.1, which is what I want.

    It seems to me now that it kinda works, but only on the first LAN interface, since that's
    the interface where I can ping every IP. What seems off though is that from that first
    LAN1 interface (192.168.1.1 range) I can use 192.168.1.1, 192.168.2.1 and 192.168.3.1 to
    log into the WebConfigurator, as if all IP's are connected to that interface somehow.

    Can someone please explain what I'm doing wrong here?

    Thanks :)



  • Hi jvandeleur,

    Have you created Firewall rules for LAN2 and LAN3 as in LAN1. By default, pfsense create pass rule for 1st LAN interface. For other LANs you have to manually create. (Just copy the rules from LAN1 and make appropriate changes). I think this is what you are missing.

    Ashima



  • The reasons why you do need multiple WAN interfaces is not clear to me.
    I can easily understand that you may need multiple public IP addresses but if all belong to same subnet, all you need is one unique default gateway.
    If not, then please explain again because for the time being, I'm lost with your design  :-[



  • Hi Ashima,

    Thank you very much for your reply. It now works perfectly! Every LAN interface now has different
    IP ranges en go through one WAN interface as seperate WAN IP addresses!

    Chris4916, I might have explained it the wrong way. I didn't want multiple WAN interfaces. I just wanted one WAN interface with multiple WAN IP addresses going through it for the different LAN interfaces.

    So now I have just one WAN interface with a static IP of xxx.xxx.xxx.62.
    Through this interface I have virtualized 3 WAN IP's: xxx.xxx.xxx.58 for LAN interface 1 (with internal range 192.168.1.0);
    xxx.xxx.xxx.59 for LAN interface 2 (with internal range 192.168.2.0);
    xxx.xxx.xxx.60 for LAN interface 3 (with internal range 192.168.3.0).

    So all LAN interfaces go through one WAN interface, but as seperate WAN IP's, which is what I wanted :)

    Do you know understand what I mean? If not, just let me know and I might be able to clarify in another way :)

    In any case, it's working now thanks to multiple inputs from multiple users and forums, for that thank you!


Log in to reply