Help with 2 WAN and 1 LAN…



  • I need help configuring 2 WAN and 1 LAN on pfSense 2.2.6. I know it has to be easy, but the more I read the more questions I have and the more confused I get.

    I have 2 WAN entering on 1 NIC and 1 LAN. Accessing the IPs from either LAN outside the network is fine. But inside the network (LAN), the 2 different sets of IPs can't talk to each other. You'd think it would be the other way around. I don't require load balancing or anything, just to access all IPs inside and outside the network.

    Below is similar to what I currently have.
    –-------------
    IPs: 205.123.72.64 - 127
    Subnet mask: 255.255.255.192‎
    Gateway: 205.123.72.65

    IPs: 63.99.216.192 - 254
    Subnet mask: 255.255.255.192
    Gateway: 63.99.216.193

    Below is what I have now.

    Firewall: NAT: 1:1 is set for each IP.

    Any help would be appreciated.

    Thanks!



  • Ok, step by step.
    1.- Two WAN on 1 NIC, How is this done? Are you using a switch?, a NIC with two FastEthernet/GigabitEthernet interfaces? Some weird cable?  ???
    2.- What is your ultimate goal? Being able to access the internet (lan to wan)? Being able to see or manage your PC's from outside the lan (Wan to lan)?, use your pfsense like a vpn tunnel for annonnymous web browsing (wan to wan)? All of them?

    Yo have give us valuable info, but is hard to help (at leat for me) if I don't know the purpose you are trying to achieve. Try to be alittle more explicit please (with your problem, and with your purpose).

    Greetings.  :D



  • I can be dense at times.

    I have a very small hosting company and just added the 2nd set of IPs. Inside the network I have 8 servers which have websites. Since I added the 63.xx.xxx.xxx IPs, they work fine for access the internet, etc. But if I'm inside the network, the 63.xx.xxx.xxx IPs can't communicate with the 205.xxx.xx.xx IPs. In other words, I can't SSH or FTP from one set to the other set. It's as if they are blocked. The sites which use the 63.xx.xxx.xxx IPs can send email outside to the web, but NOT to anyone inside the network.

    Both sets of IPs come in on 1 NIC and then are routed from pfSense to a switch, which goes from there to the servers.

    Sorry, I know enough to get myself in to trouble. I tried making some changes yesterday from home and the entire network went down. I can't afford to have people get mad due to not being up, so I don't want to do a lot of testing unless I have a good idea as to what to do.

    Thanks!  :D



  • So, you can communicate with internet with both sets of IP's, ok they are working right (if not, its problem of your ISP)
    So, from pfsense (and the servers on your LAN), you can reach internet with both sets of addesses?. I assume you are using a NIC with at least 2 physical interfaces, the 205.x.x.x set in one interface, and the 63.x.x.x set in the other. If you dont know, do a ping test in "Diagnostics -> Ping" and, in source address, select the interface you want to test (205 first, then 63). Don't let in on "default", the result is useless in the troubleshooting process. If both interfaces performs a ping correctly, then the interfaces are well configurated. if not, you have there you issue.

    Do this test for now.

    Good luck!



  • Hey Chldgear,

    I appreciate your help.

    Oh yes, I can communicate with both sets of IPs. Some websites are running on them now.

    As for your 2nd question, that depends. If I'm inside the network, I can communicate with any 63.x.x.x IP as long as it's from another 63.x.x.x. If I try using a 205.x.x.x IP to communicate with a 63.x.x.x, then there are problems. I may or may not connect. If I do connect, it's as if you're dragging a semi truck through sand on a rainy day with your hands. :-)

    Lastly, both the 63.x.x.x and 205.x.x.x IPs access the pfSense box through the exact same physical interface (ethernet cord). Does that make sense?

    Thanks!



  • So it's not 2 WANs, it's one with two IP subnets. Sounds like you probably need NAT reflection enabled, if we're talking about strictly looping traffic back in through those 1:1 NATs.



  • Thanks, I'll do some research on how to set it up. Like I said, I'm a dummy.

    I really appreciate the help all you guys have given me!

    Thanks!



  • Okay, now for more dumb questions…

    I read everything at https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks - but still have a few questions.

    Do I try "NAT + Proxy" or "Pure NAT"? They both talk about the forwarding of ports, but I'm not sure how that would apply to me.

    Are there any configurations I need to be aware of before doing this? Like I said, I can't afford to be down. It's about 40 miles and $15 in tolls to the data center, so I'd like to see if I can get this right the first time and not be down. I'm hoping to go tomorrow evening, it's a good time as no one is looking at their websites at that time.

    Again, thank you for all the help.



  • You'll want pure NAT mode. And to enable the option to automatically add outbound NAT rules.



  • Thank you!

    I'm going to the data center tomorrow, I'll report back if it worked or not.

    I love pfSense, it's the best!



  • Hey CMB,

    I was told to give you this extra information as they thought I may be using manual NAT. If this is they case, I was told to ask if by looking at the screen cap below if it would be better to use Hybird NAT.

    Thanks!



  • Load balancing & fail over
    Some impressions to get it working together with load balancing and a fail over scenario.



  • Thank you for your input. But I'm not looking for load balancing or fail over. I need to get the IPs from 2 different WANS to talk to each other in the LAN!



  • Hey all!

    Well, I did what CMB suggested, switching to pure NAT mode and enabling the option to automatically add outbound NAT rules. Unfortunately, it didn't change anything. Inside the network I still can not make the 2 WAN talk to each other via SSH, FTP, or anything else. If they do connect, it's only for 10 seconds and then everything bottoms out.

    I have the NAT Outbound set to Manual Outbound NAT. It was suggested to try Hybrid Outbound NAT, which I also tried. Still the same result.

    Any more suggestions?

    Thanks!



  • Where you're using policy routing on your LAN rules, you need to negate those for the relevant destinations otherwise you're forcing that traffic to the gateway specified in the rule, so it won't hit reflection. What do your LAN rules look like currently?



  • CMB, thanks for getting back to me. Please excuse my ignorance, this is like trying learn Latin.

    When you refer to LAN rules, are you referring to the LAN Interface?

    Thank you very much.


Log in to reply