MultiWAN and Routing Issue
-
For a long time our shop was running pfSense with a single LAN and WAN connection and the thing was rock solid!
Recently we added a second (faster) Internet connection to do some load balancing and, more importantly, push backups offsite.
We were able to setup load balancing across the two WAN connections as per the how-to, but then I noticed something strange with a website we host via the original WAN interface.
All staff (both on the LAN and Internet) access this website via the public IP of the original WAN (WAN1) connection. However, when LAN traffic is routed through the new WAN (WAN2) gateway the website is unreachable. When the preferred gateway is set back to WAN1 the website functions again.
My understanding was that if WAN2 is the gateway pfSense would route requests for the WAN1 website out onto the Internet and then back to WAN1 (as if coming from two separate routers). But it appears that somehow the packets are not being routed correctly. I checked the firewall logs and there did not appear to be any 'blocked' packets.
I know there may be a workaround involving the DNS records, but I at the moment this is not an option for us. I wanted to see if I could figure out why this isn't working.
Any help or a push in the right direction would be much appreciated!
We are running pfSense 2.2.4
-
You probably need a policy route negation rule.
Create an allow rule on LAN, source LAN net, destination WAN1 net, with no gateway set, and place it ABOVE the allow rule that has the gateway group defined.
You also need NAT reflection enabled, but I assume it already is, otherwise it would have never worked.
-
Thanks for the quick response georgeman!
I looked up 'policy route negation rule' and the following how-to came up:
https://doc.pfsense.org/index.php/Bypassing_Policy_Routing
Using on the info in the above link I created a pass rule on the LAN interface where the LAN subnet was the destination. When I placed this rule first the website accessible via WAN1 became available to LAN hosts.
From what I understand because the packets are destined for a NAT'd host via WAN interface and are therefore supposed to be 'reflected' back to the internal host without being routed to the Internet. Without the above rule the packets were hitting the load balancing LAN policy which sent them out the wrong gateway… Is this correct?
I am still getting used to pfSense's nuances... while I am happy that it is now working, does having a rule like this somehow open a big hole in our security?
Bonus Question: If I turn off NAT reflection would it be impossible for a LAN host to access an open TCP port on the WAN interface?