NAT not routing through the specified "exit" WAN/OPT1/OPT2



  • Hi what im basically trying to accomplish is the following:

    And i have done the following NAT outbound setup to do it:

    But it does not work, no internet traffic gets routed when i use that config and i have to hit "automatic nat" to get internet access back on any computer on the subnet.

    Can anyone point me into what am i doing wrong? ive read the forums and it seems the nat outbound rules are fine.

    Any help is greatly apreciated



  • With these rules you only specify from where to where you want traffic NATed

    You could create a rule for every subnet you have.
    Then all traffic from the corresponding LAN in the rule to the WAN in the rule will get NATed.

    To specify a certain route for a LAN you have to modify the gateway of the firewall-rule.
    Search the forum for "policy routing" to find more info.

    But to be honest i wouldnt do it this way.
    If a WAN fails the corresponding LAN no longer has internet access.

    Why not set up a loadbalancing pool?
    Or if you insist on only using one WAN at least use failover pools.

    You use them the same way you use policy routing.
    Specify the pool in the gateway field in the firewall rule.



  • @GruensFroeschli:

    But to be honest i wouldnt do it this way.
    If a WAN fails the corresponding LAN no longer has internet access.

    Why not set up a loadbalancing pool?
    Or if you insist on only using one WAN at least use failover pools.

    Actually the idea was just that:

    If subnets 6. and 7. needed internet access they would use the WAN port first and if that failed they would use the OPT2 and if that failed they would use the OPT1.

    If subnet 5. needed internet access it would use the OPT2 port first and if that failed they would use the OPT1 and if that failed they would use the WAN.

    If subnet 4. needed internet access it would use the OPT1 port first and if that failed they would use the OPT2 and if that failed they would use the WAN.

    At least thats what im trying to accomplish, but since ive so far failed to achieve this every time i went back to basics and started from scratch, first try to make the wans route where they are supposed to and once i get that working ill work on having them failover to something else hence why i was asking this simple question first so i could move on to more and more complicated setups but once i got stuff working from the start.

    Let me read up on what you suggest and ill post here if i can understand it.

    Thanks for the helpfull reply



  • after researching what you just suggested i found someone asking the exact thing i am trying to accomplish however it did not say how to do it, ill keep researching more to find out how to do it but if you have a more direct idea where to find this info it would be greatly apreciated

    This is what i basically want to do:

    "The difference between policybasedrouting and multiwan is not that big. You even can use both simultaneously (send some special traffic out WAN, other special traffic out WAN2 and use loadbalancing for everything else for example). The main difference is that you use one of the interface gateways as gateway for your firewallrules or a pool of gateways as gateway."

    route special traffic (ports) on certain interfaces and load balance the rest.



  • I think i get it now, where you want traffic routed is not done in the NAT Outbound configuration page, it is done in the firewall configuration page, i think i see it now, it makes more sense that way, basically i should leave all traffic on auto on the nat outbound and modify the firewall rules to tell it on what gateway i want what traffic routed,(and also thus what traffic from what subnets) ill run some tests now to test this out.



  • well that worked… i put the firewall rule to NOT route through the default system routing tables and to use the specified outbound load balance pool and dead right on it routed through the proper pool ip.

    This however brings me to another question (ill still research this anyway but any help saving me from having to do like 100 tests is greatly apreciated lol)

    when i select the "gateway" i can only select, the wan/opt1/opt2 gateways and the loadbalance pool, the first three are self explanatory, altho if the link fails i will have no failover, BUT if i use the pool as gateway how do i specify which gateway from that pool should he use first, then should that fail then what to use next as backup etc.

    what im guessing is i would need to create 2 or 3 different loadbalance pools each with a different "order" and just assign the load balance order to that traffic policy

    like say i create pool1 pool2 pool3

    pool1 has the following config: OPT1 first, OPT2 second, WAN third
    pool2 has the following config: OPT2 first, OPT1 second, WAN third
    pool3 has the following config: WAN first, OPT1 second, OPT2 third

    So basically i would have to assign Pool1 as gateway to the .4 subnet, pool2 as gateway to the .5 subnet and pool 3 as gateway to the .6 and .7 subnets.

    Is this correct?

    ill test this right now but reasurance that i might be correct would be a blessing lol

    Thanks again



  • @Xionicfire:

    So basically i would have to assign Pool1 as gateway to the .4 subnet, pool2 as gateway to the .5 subnet and pool 3 as gateway to the .6 and .7 subnets.

    Is this correct?

    yes.

    Also read the note:

    Load Balancing: both active. Failover order: top -> down.
    NOTE: Failover mode only applies to outgoing rules (multi-wan).



  • yes i was about to post that the system was working fine now but it had started roundrobiing the connections and how could i stop that, then i remembered that if its set on load balancing it will round robin, so to just use it as use this first then this then this (failover) i had to set it on failover, sounds simple but i could not see it, i just finished creating the rules and im about to test them now. ill post here images of what the rules ended up being.



  • tests complete, its working like a charm, its kinda wierd that the incomming have to be using port forwarding but the outgoing have to use firewall/pool routings, i mean im all for what ever works lol but its complicated as heck… i wish on the NAT outbound it would have said something like:

    NOTE: if you want to forward traffic down a specific interface use firewall policies and not NAT Outbound, search "Policy routing" on the forums.

    It would have been a lot easier :P but hell its working and not not only is it just working its working better than what i expected it to be working and has WAY more features than i expected to get, im not going to complain! lol more complex... but more features.

    lets hope someone else stumbles across this article and finds it as usefull as i have

    Rules ended up like this,

    Rules

    Pools



  • Bah! i think i chanted victory too soon….

    Well HTTP works fine.. HOWEVER FTP does not... it doesnt even connect at all to hosts

    if i set up the gateway on the firewall rules to anything other than DEFAULT FTP stops working

    but if i set the gateway as default then my entire policy routes get ignored.

    sigh.. any ideas what should i do now?



  • You might be interrested in this thread:
    http://forum.pfsense.org/index.php/topic,7001.0.html

    ftp is a whole different story.
    this thread will probably help you, since it covers almost all problems you'll encounter with ftp.
    http://forum.pfsense.org/index.php/topic,7096.0.html



  • "FTP works fine. The only known limitation is not being able to use anything but the primary WAN if you have a multi-WAN setup. That'll be fixed in a future version. "

    Argh…... well... that sucks.... because the only interface that also allows PPPoE is the WAN, which also happens to be the crappiest of all links (the 512kb one) id love to set the crappy link as OPT2 but i cant....

    Any way to just define any other interface as primary other than wan? (i understand ftp loadbalancing not working, makes sense, but maybe just hardwire it to a single interface perhaps?)



  • ok i read the posts and i sort of understand how this pertains to me but i still have no idea how to apply that particular case scenario into this case scenario (i admit its probably out of inexperience) i know what needs to be done i just have no idea how to do it (the interface is a little to complex to be user friendly on some parts)



  • ok i found about the

    TCP  LAN-net  * 127.0.0.1/31 * *

    Rule, however i have no idea where they want me to put this in,(im assuming its the LAN policies?) and why would i need to put this in when i have something that in THEORY also encompasses 127.0.0/31

    *  LAN net  *  *  *  *



  • ok this is what i did, ill test it now and see if its working

    Helper is ENABLED on the LAN interface and DISABLED on all 3 WANs


Log in to reply