Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Multiple public IP addresses for a WAN connection (multi-WAN setup)?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    8 Posts 2 Posters 12.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CDuv
      last edited by

      Hello,

      I have a three-WAN setup with load-balancing: outgoing traffic (from local to Internet) uses any of the available WAN (WAN_A, WAN_B and WAN_C).
      One of my ISP (say WAN_C) can provide me with a "/29"-block IPv4 public addresses (8 IPs), that would allow me to "advert myself" under more IP address than now.

      Can I configure pfSense so that :

      • Outgoing traffic is still load-balanced over my 3 WANs (according to load/usage) ?

      • Traffic that the load-balancer made go through WAN_C is load balanced over theses 9 public IPs (the original WAN_C public address + the 8 new addresses) ?

      • I can accept/block/forward incoming traffic (from Internet to local, excluding already established outgoing traffic) that come on WAN_C interface on a per destination IP basis? Reject some IP addresses, forward others, etc.

      • Treat incoming traffic for any of the 9 WAN_C's public IPs as a whole/the same (kind of default behavior)? I could then contact my hosted services on any of the WAN_C public IP addresses

      ?

      Context:

      • I am using pfSense v2.2.5

      • The 3 pfSense WAN interfaces are static IP

      • I host some (few) services on my LAN (with NAT+firewalle rules)

      • I plan on enabling pfSense OpenVPN server

      Thanks

      1 Reply Last reply Reply Quote 0
      • C
        CDuv
        last edited by

        According to what I have read here and there:

        I have to declare the new IP addresses in "Firewall > NAT > Virtual IP Addresses" as "Virtual IP" of type "CARP" on my WAN_C interface.

        If I want to manage them individually, I can change the "mode" setting in "Firewall > NAT > Outbound" to "Hybrid Outbound NAT rule generation" (or "Manual Outbound NAT rule generation") and add "NAT entries" with "Translation" set to the desired virtual IP.

        But how can I tell pfSense to make the new IP addresses part of my load balancing gateway group? I can't find a corresponding setting and can't imagine it would do it automatically.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          The gateway group is a group of gateways, or next hops, not interface addresses.

          The virtual IPs come into play after the routing has determined which gateway should be used to send the outgoing traffic.

          All VIPs on a particular interface will use the same gateway. The NAT translation will just use a different address (the VIP) to translate the source address on its way out.

          So, in other words, you don't need to do anything.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • C
            CDuv
            last edited by

            @Derelict:

            All VIPs on a particular interface will use the same gateway. The NAT translation will just use a different address (the VIP) to translate the source address on its way out.

            So the "balance" over the multiple WAN IPs will be activated with the "Translation > Pool Options" setting on the NAT entry (possible values being: Round Robin, Random, etc. with or without Sticky Address)?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              It's two different things.

              Your policy routing and routing table determine which interface will be used to send the traffic.

              After that decision is made the Outbound NAT rules determine what address/port mapping occurs, if any.

              It doesn't really matter as far as load balancing is concerned. The load on the gateway will be the same regardless of VIP used.

              An exception I can think of is if the interface is an LACP LAGG. A balance of different source addresses will help LACP do its thing.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C
                CDuv
                last edited by

                Thanks for the explanation Derelict, it's clearer now.

                I have a question about the Outbound NAT translation pool works.

                Context reminder: The ISP I use on my WAN_C interface provides me one (public) IP address (say: 3.3.3.3). I asked him more IP and he provided me a 1.2.3.40/29 block.

                To use them, I have created an Advanced Outbound NAT Entry using Other subnet = "1.2.3.40/29" with Pool options = "Round Robin with Sticky Address"
                for any traffic from LAN to any destination on my WAN_C interface.

                It makes any outgoing traffic that firewall and Load Balancer made go through WAN_C interface to use one IP between 1.2.3.40-1.2.3.47 : great!

                But is there a way to include my "original" 3.3.3.3 IP address in that outgoing pool? So that outgoing traffic still uses 3.3.3.3 sometimes?
                As far as I can see it: the "Translation" configuration part only accepts one entry: either the interface address, a declared Virtual IP or a subnet.
                In my case I would like the Translator to pick one IP among 3.3.3.3, 1.2.3.40, 1.2.3.41, …, 1.2.3.47.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  You can create a host alias containing all the outside IP addresses you would like to be made available for outbound NAT.

                  Use that alias as the translation address.

                  Must be a host alias. Cannot contain subnets.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • C
                    CDuv
                    last edited by

                    Thanks!
                    Exactly what I wanted. :D

                    (Now I'll have to duplicate some firewall rules to outgoing NAT module)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.