[Solved] Multiple public IP addresses for a WAN connection (multi-WAN setup)?
-
Hello,
I have a three-WAN setup with load-balancing: outgoing traffic (from local to Internet) uses any of the available WAN (WAN_A, WAN_B and WAN_C).
One of my ISP (say WAN_C) can provide me with a "/29"-block IPv4 public addresses (8 IPs), that would allow me to "advert myself" under more IP address than now.Can I configure pfSense so that :
-
Outgoing traffic is still load-balanced over my 3 WANs (according to load/usage) ?
-
Traffic that the load-balancer made go through WAN_C is load balanced over theses 9 public IPs (the original WAN_C public address + the 8 new addresses) ?
-
I can accept/block/forward incoming traffic (from Internet to local, excluding already established outgoing traffic) that come on WAN_C interface on a per destination IP basis? Reject some IP addresses, forward others, etc.
-
Treat incoming traffic for any of the 9 WAN_C's public IPs as a whole/the same (kind of default behavior)? I could then contact my hosted services on any of the WAN_C public IP addresses
?
Context:
-
I am using pfSense v2.2.5
-
The 3 pfSense WAN interfaces are static IP
-
I host some (few) services on my LAN (with NAT+firewalle rules)
-
I plan on enabling pfSense OpenVPN server
Thanks
-
-
According to what I have read here and there:
I have to declare the new IP addresses in "Firewall > NAT > Virtual IP Addresses" as "Virtual IP" of type "CARP" on my WAN_C interface.
If I want to manage them individually, I can change the "mode" setting in "Firewall > NAT > Outbound" to "Hybrid Outbound NAT rule generation" (or "Manual Outbound NAT rule generation") and add "NAT entries" with "Translation" set to the desired virtual IP.
But how can I tell pfSense to make the new IP addresses part of my load balancing gateway group? I can't find a corresponding setting and can't imagine it would do it automatically.
-
The gateway group is a group of gateways, or next hops, not interface addresses.
The virtual IPs come into play after the routing has determined which gateway should be used to send the outgoing traffic.
All VIPs on a particular interface will use the same gateway. The NAT translation will just use a different address (the VIP) to translate the source address on its way out.
So, in other words, you don't need to do anything.
-
All VIPs on a particular interface will use the same gateway. The NAT translation will just use a different address (the VIP) to translate the source address on its way out.
So the "balance" over the multiple WAN IPs will be activated with the "Translation > Pool Options" setting on the NAT entry (possible values being: Round Robin, Random, etc. with or without Sticky Address)?
-
It's two different things.
Your policy routing and routing table determine which interface will be used to send the traffic.
After that decision is made the Outbound NAT rules determine what address/port mapping occurs, if any.
It doesn't really matter as far as load balancing is concerned. The load on the gateway will be the same regardless of VIP used.
An exception I can think of is if the interface is an LACP LAGG. A balance of different source addresses will help LACP do its thing.
-
Thanks for the explanation Derelict, it's clearer now.
I have a question about the Outbound NAT translation pool works.
Context reminder: The ISP I use on my WAN_C interface provides me one (public) IP address (say: 3.3.3.3). I asked him more IP and he provided me a 1.2.3.40/29 block.
To use them, I have created an Advanced Outbound NAT Entry using Other subnet = "1.2.3.40/29" with Pool options = "Round Robin with Sticky Address"
for any traffic from LAN to any destination on my WAN_C interface.It makes any outgoing traffic that firewall and Load Balancer made go through WAN_C interface to use one IP between 1.2.3.40-1.2.3.47 : great!
But is there a way to include my "original" 3.3.3.3 IP address in that outgoing pool? So that outgoing traffic still uses 3.3.3.3 sometimes?
As far as I can see it: the "Translation" configuration part only accepts one entry: either the interface address, a declared Virtual IP or a subnet.
In my case I would like the Translator to pick one IP among 3.3.3.3, 1.2.3.40, 1.2.3.41, …, 1.2.3.47. -
You can create a host alias containing all the outside IP addresses you would like to be made available for outbound NAT.
Use that alias as the translation address.
Must be a host alias. Cannot contain subnets.
-
Thanks!
Exactly what I wanted. :D(Now I'll have to duplicate some firewall rules to outgoing NAT module)
