Inbound NAT on second connection - 2 WAN Gateways (Single WAN/Eth Port) + 1 LAN



  • Hi There,

    I've been troubleshooting inbound NAT on a new pfsense (2.2.6) set up, (its the first time I've attempted inbound nat from multiple connections) and although I've found some similar posts, I'm struggling to get both connections to allow access to the LAN server.  I can get one or the other to work, but not both… ...hopefully there's someone here who can help!?!

    
    primaryIP   +-------+     10.10.1.1
         +----> | adsl1 +------+
                +-------+      |
                               |
     secondIP   +-------+      |
         +----> | adsl2 +------+ 10.10.2.1
                +-------+      |
                               | 10.10.1.2/vip10.10.2.2
                        +------+------+
                        | pfsense|NAT |
                        +-------------+
                               |192.168.1.0/24
                               |
                               |  +------------+
                               +--+ ssh Server |(192.168.1.10)
                                  +------------+
    
    

    WAN network:
    we have two upstream ADSL routers accessible via a single ethernet WAN port on pfsense:
      - primary is on 10.10**.1.1** (/24) and
      - secondary is on 10.10**.2.1** (/24)
      - both routers are connected to the same switch that the pfsense WAN port is connected to.

    The upstream routers each have public IPs and we port forward into the LAN from the ADSL modem.
    (in the first instance I'm testing SSH inbound on port 22.)

    I want to configure pfsense to allow SSH access to the LAN server 192.168.1.10 on both ADSL public IPs

    I'm having trouble getting inbound NAT to work on the secondary connection. But it works fine on the primary.

    After running some packet traces, I've pin-pointed that if I try and connect to the secondary public IP, the return path of the SYN,ACK for connecting has ip.src=10.10**.2.2** (WAN2VIP) as I expect, but that ethernet frame is being sent to the primary ADSL router MAC rather than the secondary router MAC.

    Current Config:
      - Basic WAN/LAN configuration - static WAN IP is 10.10.1.2 (gw_wan 10.10.1.1)
      - LAN is 192.168.1.0/24
      - Firewall->NAT inbound port 22  to 192.168.1.10 (create new assoc. filter)

    - Firewall->Virtual IP - 10.10.2.2/32 (other posts seem to recommend /32 - I've also tried /24)
      - Routing->Gateway WAN2 - 10.10.2.1
      - Firewall->NAT inbound port 22  to 192.168.1.10 (create new assoc. filter)
        (I've tried setting gateway on the filter rule to WAN2(10.10.2.1))

    I expected the inbound NAT rule to track that the connection came from the secondary ADSL MAC, and that return traffic for that conenction would be sent back via the same Layer 2 path… is it possible to do this? What have I missed?

    Is there a way to get the reply to the inbound connection to be sent to the correct secondary router's MAC address?

    Happy to share all the other config settings if the above is not clear! (am trying to avoid a massive post). - I've confirmed that reply-to is not disabled, and don't have any interface grouping set up, pfsense SSH is enabled, but running on an alternative port.

    Any suggestions? I really need some help to resolve this!


  • Netgate

    My initial thought would be put the two WANs on two interfaces. Multiple IP subnets on one broadcast domain is generally fail.



  • Hi Derelict - thanks for the reply - do you mean like an extra network card?

    the challenge is that the router hardware has only 2 physical network ports -  1 WAN and the other for LAN.

    I've managed to get this working in the past using a Linux router with IPTables. There are plenty of examples where people have used IP tables with source based routing and packet markers.

    I've been using pfsense more recently as its easy to configure, and figured there must be a way… - I'm not very familiar with FreeBSD and ipfw though (assuming thats what is underneath pfsense)

    I thought this physical setup would be a pretty normal scenario - is there a different way I should be adding the second IP to the pfsense box? (Maybe there is an alternative to the Firewall->VirtualIP which would create a more complete extra routing interface?)


  • Netgate

    Multiple IP subnets on one broadcast domain is generally fail.

    I'm not very familiar with FreeBSD and ipfw though (assuming thats what is underneath pfsense)

    It's actually pf, with exceptions like captive portal, which leverages ipfw.

    What you are trying to do is unsound. Get another interface or go back to linux.



  • Multiple IP subnets can work fine on a single broadcast domain.  - I appreciate that it is not conventional though.

    In my experience usually where there's a will there's a way. Maybe via VLANs or by PPPoE with bridge mode on the ADSL router? (I was hoping to avoid doing that, but I'd be interested to hear if there is a typical way recommended)

    Has anyone worked out a way to get a dual ADSL scenario like this working?  Otherwise I'll reluctantly go back to iptables, but I hope there is a way with pfsense?!



  • I have a compromise working…  I wouldn't say this is solved, so please help if you can suggest a better way?

    It looks as though the ADSL modems we have don't support VLAN, one of them does support bridging PPPoE though.
    As an experiment I've defined an additional PPPoE interface (OPT1) which gives pfsense an inteface for NAT rules to be set up against. OPT1(primary) and WAN(second), and it works!

    The following tweak is now allowing inbound NAT from both ADSL routers to the same SSH server

    - same physical configuration as above
      - updated adsl1 modem to run PPPoE bridging, so its public IP is now on the pfsense router
      - WAN configuration as follows:(interfaces->assign)
        + PPPs set up a new PPPoE connection with my ADSL/ISP login details  (on adsl1/WAN)
        + created a new Interface OPT1 which usese that PPPoE connection
        + WAN interface is now configured for the secondary IP (10.10.2.2/24) (I deleted the Virtual IP)

    - Routing->Gateways:
        + GW_WAN on PPPoE (default gateway)
        + GW2: on WAN set to have gateway 10.10.2.1 (also had to go back to the OPT1 interface and set its gateway to GW2)

    
    primaryDSL   +-------+ (10.10.1.1)
          +----> | adsl1 +------+----------+(other 10.10.1.0/24 devices
                 +-------+      |                now have no gateway with PPPoE moved to pfsense)
                                |
      secondIP   +-------+ 10.10.2.1
          +----> | adsl2 +------+
                 +-------+      |
                                | PPPoE:PrimaryIP/WAN:10.10.2.2
                         +------+------+
                         | pfsense|NAT |
                         +-------------+
                                |192.168.1.0/24
                                |
                                |  +------------+
                                +--+ ssh Server |(192.168.1.10)
                                   +------------+
    
    

    Its not ideal, as we use the 10.1.1.0/24 subnet for other things, and with PPPoE on pfsense they don't have a public gateway any more… so it replaces one problem with another.  (But it is a configuration that I can work with if there's no better method)

    I guess I'm coming back to my original question, Is there a way to Assign NAT rules to a second IP on the same physical WAN network port? This would work better in our situation if its possible...!?