Multi-WAN and NAT¶
The default NAT rules generated by pfSense® software will translate any traffic leaving a WAN-type interface to the IP address of that interface. In a default two interface LAN and WAN configuration, pfSense will NAT all traffic from the LAN subnet leaving the WAN interface to the WAN IP address. Adding more WAN-type interfaces extends this to NAT any traffic leaving a WAN-type interface to that interface IP address. This is all handled automatically unless Manual Outbound NAT is enabled.
NAT does not influence the path taken by connections, only how addresses on packets traversing an interface are translated by the firewall.
Policy routing firewall rules direct connections to specific WAN interfaces, and the Outbound and 1:1 NAT rules specify how the addresses on packets for those connections will be translated by the firewall as it leaves that WAN.
Multi-WAN and Manual Outbound NAT¶
If Manual Outbound NAT must be used with multi-WAN, ensure manual outbound NAT rules are present on all WAN-type interfaces.
Multi-WAN and Port Forwarding¶
Each port forward applies to a single WAN interface. A given port can be opened on multiple WAN interfaces by using multiple port forward entries, one per WAN interface. The easiest way to accomplish this is:
Add a port forward on the first WAN connection as usual
Click to the right of that entry to add another port forward based on the selected one
Change the Interface to the desired WAN
reply-to keyword in pf, used on WAN-type interface rules, ensures that
when traffic comes in over a specific WAN interface, the return traffic will go
back out the way it came into the firewall. So port forwards can be actively
used on all WAN interfaces at any time, regardless of any failover configuration
that may be present. This is especially useful for mail servers, as an address
on a secondary WAN can be used as a backup MX, allowing the site to receive mail
even when the primary line is down. This behavior is configurable, for
information on this setting, see Disable Reply-To.
Multi-WAN and 1:1 NAT¶
1:1 NAT entries are specific to a single WAN interface and, like outbound NAT, they only control what happens to addresses on packets as they pass through an interface. Internal systems can be configured with a 1:1 NAT entry on each WAN interface, or a 1:1 entry on one or more WAN interfaces and use the default outbound NAT on others. Where 1:1 entries are configured, they always override any other Outbound NAT configuration for that specific interface.
If a local device must always use a 1:1 NAT entry on a specific WAN, then traffic from that device must be forced to use that specific WAN gateway with policy routing firewall rules.