NAT Config for Redundancy and to Force traffic to one WAN Interface



  • I am at a loss on how to confirm this.

    I have an existing pfsense router for my office, connected to Comcast and it goes down frequently, so I want to add a Verizon Wireless LTE "aircard" cellular data as a secondary WAN connection for failover.

    At the same time, I need to be able to force certain outbound traffic to that Verizon card so I can monitor some remote devices we have on Verizon aircards.  They are in the 166.160.x.x, 166.240.x.x and 166.245.x.x ranges.

    Here is a picture of the general configuration:https://www.dropbox.com/s/uv0r0z5z1sbna0r/Office%20Routing%20Diagram.png?dl=0

    I only have 3 interfaces:
    https://www.dropbox.com/s/ieicx30qn0l3g07/Interfaces%20Assigned%20Network%20Ports.png?dl=0

    I can ping the wireless router (192.168.0.1) connected to the new ethernet (USB Adapter) (ue0) from the PFsense->Diagnostics–>Ping interface, but not from the LAN.  If I connect to it directly, I can reach the external devices without issue.  The IP address on the USB adapter is 192.168.0.10.

    I have added a interface group for the WAN (em0) and USBVZN_ WWAN (ue0) connections.
    https://www.dropbox.com/s/d8jq3bq6l0h0jgb/Interface%20Groups.png?dl=0

    I have this as my current outbound firewall rules, but it is not working:
    https://www.dropbox.com/s/sx9z13pkzuedcbh/Firewall%20-%20Outbound%20Rules.png?dl=0

    Can someone point out what I am doing wrong?

    Thanks for the help.

    Padapa



  • I don't see any reason to be using manual outbound NAT there, easiest to change it back to automatic.

    If you're going to stay on manual, destination must be "any" not specific networks on the WWAN rules.



  • Thanks for responding.  I do have one question:

    Can I use automatic and still force traffic destined for certain address ranges out of a specific WAN interface?

    At the same time, I need to be able to force certain outbound traffic to that Verizon card so I can monitor some remote devices we have on Verizon aircards.  They are in the 166.160.x.x, 166.240.x.x and 166.245.x.x ranges.

    This requirements is from the Verizon's data service rules of operation.

    Padapa



  • NAT has no impact on where traffic goes, firewall rules and the system routing table determine that. NAT only specifies how traffic going via that interface is translated.


Log in to reply