Multiwan configuration for SSH to failover interface

pete

I have configured a failover 2nd WAN connection and it is working fine.

Is there a way that I can configure main LAN to telnet/ssh to 2nd WAN connection gateway (wireless modem) when using primary WAN connection?

I am looking to do just SMS via SSH with the cellular modem while concurrently using the primary WAN connection.

I have tried adding some firewall rules and NAT but not getting anywhere?

Derelict

I'm sorry but "huh?" No idea what you're asking.

pete

Thank you for the quick response Derelict.

I have configured PFSense Multiwan for failover using a cellular modem as my secondary WAN internet connection.

I have tested failover from primary ISP WAN to secondary ISP WAN (cellular connection).

All works fine.

Doing my failover testing to the cellular modem I can telnet or SSH to the cellular modem to do some SMS texting just fine.

I want to automate this from a server on the LAN such that the server normally will talk to the internet using the main WAN but when using the SMS server I want it to talk SSH / Telnet to the fail over WAN2 which is the cellular modem.

I want to be able to utilize ssh/telnet from LAN to the cellular modem (WAN2) when I am using the primary WAN.

Main LAN ==> WAN1
Failover ===> WAN2

Server==> Main LAN ==> WAN1
SMS Server ==> internet ==> WAN1
SMS Server ==> SSH to Modem IP ===> WAN2

Derelict

Generally to talk to a WAN modem you have to jump through some NAT hoops.

This might help:

https://doc.pfsense.org/index.php/How_can_i_access_my_PPPoE_Modem_on_WAN

pete

Thank you Derelict.

No success with this.

It is just a combo voice and data cellular modem (no PPOE reqired).

I can only get to the modem IP in failover mode with some rules configured from the LAN to the failover WAN.

Failover mode running to cellular modem.

/# ping 192.168.250.249 (IP of the modem).
PING 192.168.250.249 (192.168.250.249) 56(84) bytes of data.
64 bytes from 192.168.250.249: icmp_seq=1 ttl=63 time=0.915 ms
64 bytes from 192.168.250.249: icmp_seq=2 ttl=63 time=0.725 ms
64 bytes from 192.168.250.249: icmp_seq=3 ttl=63 time=0.791 ms

telnet 192.168.250.249
Trying 192.168.250.249…
Connected to 192.168.250.249.
Escape character is '^]'.

ICS-EG login:

Running regular WAN1

/# ping 192.168.250.249
PING 192.168.250.249 (192.168.250.249) 56(84) bytes of data.

--- 192.168.250.249 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 1999ms

bugbear

Hi Pete,

If I understand you configuration correctly, you have a LAN based SMS server, and are wanting SSH traffic (port 22) to go via WAN2 always. and other traffic to go by the current preferred gateway (WAN1 failover to WAN2)

Have you tried creating an outbound NAT rule for ssh (port 22) destination to the Modem IP, (source IP of LAN SMS Server)?

That would be my first guess.  If you are happy to route all traffic from the SMS server to your WAN2 link, you can alternatively create a route rule for destination 192.168.250.249/32 which forwards to the GW2 interface

pete

Thank you BugBear.

If I understand you configuration correctly, you have a LAN based SMS server, and are wanting SSH traffic (port 22) to go via WAN2 always. and other traffic to go by the current preferred gateway (WAN1 failover to WAN2)

yes

Have you tried creating an outbound NAT rule for ssh (port 22) destination to the Modem IP, (source IP of LAN SMS Server)?

Yes.  Didn't work.

you can alternatively create a route rule for destination 192.168.250.249/29 which forwards to the GW2 interface

Yup; tried that too.  Didn't work.

I can only get it to work if I failover to the modem internet connection.

bugbear

I have a similar set up which works fine, so you should be able to get it working…  :)

Some more ideas:

-  'Block private networks' unchecked for your WAN2 interface
-  I'd try route before NAT;- make sure in your route you specify destination IP, the GW2 gateway and the WAN2 interface (gw alone probably not sufficient)

Is your Primary/Failover setup with an Interface Group? - are both gateways showing online in Status-Gateways?
Try removing the interface group to see if it makes a difference

watch out for old misconfigurations - maybe clear it all out and add it again.

Diagnostics->packet capture on the WAN1 and WAN2 interfaces while you ping will confirm if and which interface the pings are being sent out on

pete

Thank you bugbear.

-  'Block private networks' unchecked for your WAN2 interface -

Yes

-  I'd try route before NAT;- make sure in your route you specify destination IP, the GW2 gateway and the WAN2 interface (gw alone probably not sufficient)

Here is my static route configuration.

Destination Network : 192.168.250.248 / 29

WAN2GW: 192.168.250.249

Just calling it : modem

Is your Primary/Failover setup with an Interface Group?

No.

are both gateways showing online in Status-Gateways?

Yes.

watch out for old mis configurations - maybe clear it all out and add it again.

Yup; keep adding and deleting configurations.

Diagnostics->packet capture on the WAN1 and WAN2 interfaces while you ping will confirm if and which interface the pings are being sent out on

I do not see anything doing the WAN2 or WAN1 packet capture.  I can see my pings doing a LAN packet capture.

• are both gateways showing online in Status-Gateways?

pete

Still playing here and decided to shortcut it a bit running another LAN connection from the modem to the PFSense box and only allow telnet/ssh to the modem.