Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT not routing through the specified "exit" WAN/OPT1/OPT2

    Scheduled Pinned Locked Moved Routing and Multi WAN
    15 Posts 2 Posters 4.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • X
      Xionicfire
      last edited by

      Hi what im basically trying to accomplish is the following:

      And i have done the following NAT outbound setup to do it:

      But it does not work, no internet traffic gets routed when i use that config and i have to hit "automatic nat" to get internet access back on any computer on the subnet.

      Can anyone point me into what am i doing wrong? ive read the forums and it seems the nat outbound rules are fine.

      Any help is greatly apreciated

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        With these rules you only specify from where to where you want traffic NATed

        You could create a rule for every subnet you have.
        Then all traffic from the corresponding LAN in the rule to the WAN in the rule will get NATed.

        To specify a certain route for a LAN you have to modify the gateway of the firewall-rule.
        Search the forum for "policy routing" to find more info.

        But to be honest i wouldnt do it this way.
        If a WAN fails the corresponding LAN no longer has internet access.

        Why not set up a loadbalancing pool?
        Or if you insist on only using one WAN at least use failover pools.

        You use them the same way you use policy routing.
        Specify the pool in the gateway field in the firewall rule.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • X
          Xionicfire
          last edited by

          @GruensFroeschli:

          But to be honest i wouldnt do it this way.
          If a WAN fails the corresponding LAN no longer has internet access.

          Why not set up a loadbalancing pool?
          Or if you insist on only using one WAN at least use failover pools.

          Actually the idea was just that:

          If subnets 6. and 7. needed internet access they would use the WAN port first and if that failed they would use the OPT2 and if that failed they would use the OPT1.

          If subnet 5. needed internet access it would use the OPT2 port first and if that failed they would use the OPT1 and if that failed they would use the WAN.

          If subnet 4. needed internet access it would use the OPT1 port first and if that failed they would use the OPT2 and if that failed they would use the WAN.

          At least thats what im trying to accomplish, but since ive so far failed to achieve this every time i went back to basics and started from scratch, first try to make the wans route where they are supposed to and once i get that working ill work on having them failover to something else hence why i was asking this simple question first so i could move on to more and more complicated setups but once i got stuff working from the start.

          Let me read up on what you suggest and ill post here if i can understand it.

          Thanks for the helpfull reply

          1 Reply Last reply Reply Quote 0
          • X
            Xionicfire
            last edited by

            after researching what you just suggested i found someone asking the exact thing i am trying to accomplish however it did not say how to do it, ill keep researching more to find out how to do it but if you have a more direct idea where to find this info it would be greatly apreciated

            This is what i basically want to do:

            "The difference between policybasedrouting and multiwan is not that big. You even can use both simultaneously (send some special traffic out WAN, other special traffic out WAN2 and use loadbalancing for everything else for example). The main difference is that you use one of the interface gateways as gateway for your firewallrules or a pool of gateways as gateway."

            route special traffic (ports) on certain interfaces and load balance the rest.

            1 Reply Last reply Reply Quote 0
            • X
              Xionicfire
              last edited by

              I think i get it now, where you want traffic routed is not done in the NAT Outbound configuration page, it is done in the firewall configuration page, i think i see it now, it makes more sense that way, basically i should leave all traffic on auto on the nat outbound and modify the firewall rules to tell it on what gateway i want what traffic routed,(and also thus what traffic from what subnets) ill run some tests now to test this out.

              1 Reply Last reply Reply Quote 0
              • X
                Xionicfire
                last edited by

                well that worked… i put the firewall rule to NOT route through the default system routing tables and to use the specified outbound load balance pool and dead right on it routed through the proper pool ip.

                This however brings me to another question (ill still research this anyway but any help saving me from having to do like 100 tests is greatly apreciated lol)

                when i select the "gateway" i can only select, the wan/opt1/opt2 gateways and the loadbalance pool, the first three are self explanatory, altho if the link fails i will have no failover, BUT if i use the pool as gateway how do i specify which gateway from that pool should he use first, then should that fail then what to use next as backup etc.

                what im guessing is i would need to create 2 or 3 different loadbalance pools each with a different "order" and just assign the load balance order to that traffic policy

                like say i create pool1 pool2 pool3

                pool1 has the following config: OPT1 first, OPT2 second, WAN third
                pool2 has the following config: OPT2 first, OPT1 second, WAN third
                pool3 has the following config: WAN first, OPT1 second, OPT2 third

                So basically i would have to assign Pool1 as gateway to the .4 subnet, pool2 as gateway to the .5 subnet and pool 3 as gateway to the .6 and .7 subnets.

                Is this correct?

                ill test this right now but reasurance that i might be correct would be a blessing lol

                Thanks again

                1 Reply Last reply Reply Quote 0
                • GruensFroeschliG
                  GruensFroeschli
                  last edited by

                  @Xionicfire:

                  So basically i would have to assign Pool1 as gateway to the .4 subnet, pool2 as gateway to the .5 subnet and pool 3 as gateway to the .6 and .7 subnets.

                  Is this correct?

                  yes.

                  Also read the note:

                  Load Balancing: both active. Failover order: top -> down.
                  NOTE: Failover mode only applies to outgoing rules (multi-wan).

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • X
                    Xionicfire
                    last edited by

                    yes i was about to post that the system was working fine now but it had started roundrobiing the connections and how could i stop that, then i remembered that if its set on load balancing it will round robin, so to just use it as use this first then this then this (failover) i had to set it on failover, sounds simple but i could not see it, i just finished creating the rules and im about to test them now. ill post here images of what the rules ended up being.

                    1 Reply Last reply Reply Quote 0
                    • X
                      Xionicfire
                      last edited by

                      tests complete, its working like a charm, its kinda wierd that the incomming have to be using port forwarding but the outgoing have to use firewall/pool routings, i mean im all for what ever works lol but its complicated as heck… i wish on the NAT outbound it would have said something like:

                      NOTE: if you want to forward traffic down a specific interface use firewall policies and not NAT Outbound, search "Policy routing" on the forums.

                      It would have been a lot easier :P but hell its working and not not only is it just working its working better than what i expected it to be working and has WAY more features than i expected to get, im not going to complain! lol more complex... but more features.

                      lets hope someone else stumbles across this article and finds it as usefull as i have

                      Rules ended up like this,

                      Rules

                      Pools

                      1 Reply Last reply Reply Quote 0
                      • X
                        Xionicfire
                        last edited by

                        Bah! i think i chanted victory too soon….

                        Well HTTP works fine.. HOWEVER FTP does not... it doesnt even connect at all to hosts

                        if i set up the gateway on the firewall rules to anything other than DEFAULT FTP stops working

                        but if i set the gateway as default then my entire policy routes get ignored.

                        sigh.. any ideas what should i do now?

                        1 Reply Last reply Reply Quote 0
                        • GruensFroeschliG
                          GruensFroeschli
                          last edited by

                          You might be interrested in this thread:
                          http://forum.pfsense.org/index.php/topic,7001.0.html

                          ftp is a whole different story.
                          this thread will probably help you, since it covers almost all problems you'll encounter with ftp.
                          http://forum.pfsense.org/index.php/topic,7096.0.html

                          We do what we must, because we can.

                          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                          1 Reply Last reply Reply Quote 0
                          • X
                            Xionicfire
                            last edited by

                            "FTP works fine. The only known limitation is not being able to use anything but the primary WAN if you have a multi-WAN setup. That'll be fixed in a future version. "

                            Argh…... well... that sucks.... because the only interface that also allows PPPoE is the WAN, which also happens to be the crappiest of all links (the 512kb one) id love to set the crappy link as OPT2 but i cant....

                            Any way to just define any other interface as primary other than wan? (i understand ftp loadbalancing not working, makes sense, but maybe just hardwire it to a single interface perhaps?)

                            1 Reply Last reply Reply Quote 0
                            • X
                              Xionicfire
                              last edited by

                              ok i read the posts and i sort of understand how this pertains to me but i still have no idea how to apply that particular case scenario into this case scenario (i admit its probably out of inexperience) i know what needs to be done i just have no idea how to do it (the interface is a little to complex to be user friendly on some parts)

                              1 Reply Last reply Reply Quote 0
                              • X
                                Xionicfire
                                last edited by

                                ok i found about the

                                TCP  LAN-net  * 127.0.0.1/31 * *

                                Rule, however i have no idea where they want me to put this in,(im assuming its the LAN policies?) and why would i need to put this in when i have something that in THEORY also encompasses 127.0.0/31

                                *  LAN net  *  *  *  *

                                1 Reply Last reply Reply Quote 0
                                • X
                                  Xionicfire
                                  last edited by

                                  ok this is what i did, ill test it now and see if its working

                                  Helper is ENABLED on the LAN interface and DISABLED on all 3 WANs

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.