Multi-WAN and NAT

The default NAT rules generated by pfSense® software will translate any traffic leaving a WAN-type interface to the IP address of that interface. In a default two interface LAN and WAN configuration, pfSense software will NAT all traffic from the LAN subnet leaving the WAN interface to the WAN IP address. Adding more WAN-type interfaces extends this to NAT any traffic leaving a WAN-type interface to that interface IP address. This is all handled automatically unless Manual Outbound NAT is enabled.

Warning

NAT does not influence the path taken by connections, only how addresses on packets traversing an interface are translated by the firewall.

Policy routing firewall rules direct connections to specific WAN interfaces, and the Outbound and 1:1 NAT rules specify how the addresses on packets for those connections will be translated by the firewall as it leaves that WAN.

Multi-WAN and Manual Outbound NAT

If Manual Outbound NAT must be used with multi-WAN, ensure manual outbound NAT rules are present for all WAN-type interfaces.

Multi-WAN and Port Forwarding

Each port forward applies to a single WAN interface. A given port can be opened on multiple WAN interfaces by using multiple port forward entries, one per WAN interface. The easiest way to accomplish this is:

  • Add a port forward on the first WAN connection as usual

  • Click fa-clone to the right of that entry to add another port forward based on the selected one

  • Change the Interface to the desired WAN

  • Click Save

The reply-to keyword in pf, which the firewall automatically places on WAN-type interface rules by default, ensures that when traffic comes in over a specific WAN interface, the return traffic will go back out the way it came into the firewall. Thus, port forwards can be actively used on all WAN interfaces at any time, regardless of any failover configuration that may be present. This is especially useful for mail servers as an address on a secondary WAN can be used as a backup MX, allowing the site to receive mail even when the primary line is down.

See also

This reply-to behavior is configurable, for information on this setting, see Disable Reply-To.

Multi-WAN and 1:1 NAT

1:1 NAT entries are specific to a single WAN interface and, like outbound NAT, they only control what happens to addresses on packets as they pass through an interface. Internal systems can be configured with a 1:1 NAT entry on each WAN interface, or a 1:1 entry on one or more WAN interfaces and use the default outbound NAT on others. Where 1:1 entries are configured, they always override any other Outbound NAT configuration for that specific interface.

If a local device must always use a 1:1 NAT entry on a specific WAN, then traffic from that device must be forced to use that specific WAN gateway with policy routing firewall rules.