Training Lab 8: Multi-WAN
Netgate pfSense Plus Fundamentals — Lab 8: Multi-WAN
Adding WAN2, configuring gateway groups, failover, failback, firewall rules, NAT, and testing.
This lab covers adding a second WAN interface to HQ, configuring the interface, gateway groups, firewall rules, NAT and related topics for multi-WAN, then testing its failover and failback.
Configuring WAN2 Interface
Adding the WAN2 Interface
Browse to Interfaces > Assign, and verify that your OPT2 interface is assigned to vtnet3. Browse to Interfaces > OPT2. Configure the interface as follows:
| Setting | Value |
|---|---|
| Enable | check |
| Description | WAN2 |
| IPv4 Type | Static |
| IPv4 Address | 198.51.100.2/24 |
| Gateway | add new |
| — Name | GW_WAN2 |
| — IP | 198.51.100.1 |
Save and Apply Changes.
Verifying WAN2 Connectivity
After adding a new WAN, the fastest way to verify it’s online is by browsing to Status > Gateways. It should show green and online there. To verify Internet connectivity, browse to Diagnostics > Ping. Enter any Internet host that replies to pings in the “Host” box (such as google.com), choose Source Address WAN2, and click Ping. You should receive replies.
Configuring DNS Servers
At least one DNS server must be reachable via each WAN so a single connection's failure doesn't result in DNS failing.
- In a production environment, at least one DNS server should be assigned to each WAN.
- In this lab network, DNS servers are local to the WAN and WAN2 networks, so we will not assign them to specific gateways.
Browse to System > General Setup. There you will see the existing entry for 192.0.2.1. In a real production environment, you may consider assigning this to GW_WAN, however that is not possible or necessary here as 192.0.2.1 exists in the same network as the WAN.
Add 198.51.100.1 as a secondary DNS server. In a real production environment, you may consider assigning this to GW_WAN2, however that is not possible or necessary here as 198.51.100.1 exists in the same network as the WANs.
Click Save.
Configuring Monitor IPs
The system will ping its monitor IP for each gateway to determine gateway status. By default, the gateway's IP is used. For multi-WAN scenarios, that is probably not a good choice.
- Your default gateway may be a local router within your facility, unlikely to ever go down when your Internet goes down.
- Or problems in your ISP's network further upstream could cause loss of connectivity.
- Using an IP out on the Internet as the monitor IP offers a better test of connectivity.
Use of anycasted IPs is best:
- Google public DNS: 8.8.8.8 and 8.8.4.4
- OpenDNS: 208.67.220.220 and 208.67.222.222
Browse to System > Routing. Edit GW_WAN. For monitor IP, fill in 8.8.8.8. Save. Then edit GW_WAN2, and set its monitor IP to 8.8.4.4. Save, then Apply Changes.
Configuring Gateway Groups
Configure three gateway groups for use at HQ:
- One that prefers WAN and fails over to WAN2.
- One that prefers WAN2 and fails over to WAN.
- One that load balances across both.
Browse to System > Routing, and click the Groups tab. Click +Add to add a new group.
WAN to WAN2
This gateway group prefers WAN (tier 1) and fails over to WAN2 (tier 2). Then click Save.
WAN2 to WAN
Click the duplicate symbol to the right of the WANtoWAN2 group to create a new group based on this one, then flip the tiers, group name and description. This prefers WAN2, and fails over to WAN.
Load Balance
This load balances across both WAN and WAN2. If a WAN fails, it's removed from the load balancing pool.
Configure NAT for Multi-WAN
The NAT configuration is all on a per-interface basis, specifying one particular interface and having IP information that's specific to that interface. When you add a new WAN, you also need NAT configuration specific to that new WAN.
Configuring Virtual IPs on WAN2
WAN2 will have 3 virtual IPs configured as IP aliases:
| IP/mask | Description |
|---|---|
| 198.51.100.4/32 | server1 WAN2 external address |
| 198.51.100.5/32 | server2 WAN2 external address |
| 198.51.100.6/32 | extra WAN2 external address |
Repeat the process for the remaining IPs.
Configuring Port Forwards on WAN2
To open the same ports on WAN2 as on WAN, duplicate the existing port forward entries and change their interface from WAN to WAN2.
Browse to Firewall > NAT, Port Forwards tab. Click the duplicate symbol to the right of the “VNC to hqclient” entry. In the resulting screen, change the interface from WAN to WAN2. Note how the destination address automatically changes to “WAN2 address.” Verify that change, update the description if desired, then save.
Repeat that process for the port 222 SSH port forward to hq-client.
Configuring 1:1 NAT on WAN2
Configure 1:1 NAT for server1 and server2 on WAN2.
| Setting | server1 | server2 |
|---|---|---|
| Interface | WAN2 | WAN2 |
| External IP | 198.51.100.4 | 198.51.100.5 |
| Internal IP | 172.17.2.10 | 172.17.2.20 |
| Description | server1.example.com WAN2 | server2.example.com WAN2 |
Save and apply changes.
Configuring Outbound NAT on WAN2
Since the configuration is using manual outbound NAT, add outbound NAT rules for WAN2.
Browse to Firewall > NAT, Outbound tab. Click the duplicate symbol to the right of “hq-client out via .6” to add a new entry based on that one. Change the interface to WAN2, and the Translation address to 198.51.100.6.
Repeat the same process for the two other outbound NAT rules.
Configuring WAN2 Firewall Rules
We want the same external access on WAN2 as is already active on WAN, permitting certain traffic through the 1:1 NATs for server1 and server2. Interface groupings do not support return routing at this time, so the rules must be kept on each WAN separately.
Browse to Firewall > Rules, WAN tab. Click the duplicate symbol to the right of “allow web ports to public web servers” to duplicate it, change the interface from WAN to WAN2, and click Save. Because the NAT applies first, the firewall rule is otherwise identical to the one on WAN.
Repeat the same process for rules “allow pings to public web servers” and “allow SSH to web servers from remote admin.”
Configure Firewall Rules for Outbound Traffic
In a multi-WAN environment, outbound traffic is directed to a particular WAN or gateway group via policy routing with firewall rules.
Test WAN2 with Single Client
First, send only HQ-client out via WAN2. It's generally best to first test a new WAN with a single client.
Browse to Firewall > Rules, LAN tab, and click Add to add a rule to the top of the list:
| Setting | Value |
|---|---|
| Action | Pass |
| Interface | LAN |
| Protocol | any |
| Source | Single host or alias, 172.17.1.100 |
| Destination | any |
| Description | hq-client1 prefer WAN2 |
| Gateway (Advanced Options) | WAN2toWAN |
Save and apply changes.
Testing LAN out WAN2
Open hq-client1's web browser and browse to http://100.64.0.50. You should be able to connect, and see you're coming from 198.51.100.6, the WAN2 VIP where hq-client1 is NATed.
Configure LAN for Failover Group
The “hq-client1 prefer WAN2” rule was only for testing. Delete that rule now.
Then edit the “Default allow LAN to any” rule, and choose Gateway WANtoWAN2. Verify Internet connectivity is still functioning from hq-client1.
LAN to DMZ Connectivity
Try to ping 172.17.2.10 from hq-client1. You won't receive a successful reply because traffic matching a firewall rule specifying a gateway is forced to that gateway. The attempt to get to DMZ is actually being sent to the WAN ISP's router, which can't route internal traffic.
Add LocalNetworks Alias
Add an alias containing destinations that will not be policy-routed to the Internet.
Browse to Firewall > Aliases and click +Add:
| Setting | Value |
|---|---|
| Name | LocalNetworks |
| Description | networks that will not be policy routed to Internet |
| Type | Network |
| Network 1 | 172.17.0.0/16 (HQ) |
| Network 2 | 172.18.0.0/16 (branch) |
Save and apply changes.
Add Firewall Rule for Negation
Browse to Firewall > Rules, LAN, and click Add to add a new rule to the top of the list:
| Setting | Value |
|---|---|
| Action | Pass |
| Interface | LAN |
| Protocol | any |
| Source | LAN net |
| Destination | Single host or alias, LocalNetworks alias |
| Description | allow local networks with no policy routing |
| Gateway | Leave at default |
Start a new ping to 172.17.2.10 and it will reply. If you still aren't getting a ping reply, it's probably because of an old firewall state. Reset states under Diagnostics > States, or delete those specific states, and try again.
Default Gateway Switching
At this point, all traffic sourced from inside the LAN or DMZ destined for the internet will follow the policy route. However, the default route on the firewall is still pointing to WAN1. In the event of a WAN1 failure, traffic sourced by the firewall itself will not be able to reach the internet.
Navigate to System > Routing and set Default gateway IPv4 to Automatic and click Save.
Testing Failover
Now that failover is configured, it's important to test it. Create a failure on WAN to verify it switches over to WAN2.
In the virtual lab environment, shutdown the WAN1 NIC on “Lab Internet router.” Point your web browser to your Lab Internet Router (http://100.64.0.1) and browse to Interfaces > HQ_WAN1. Uncheck the Enable box at the top and click OK, then Apply.
Now browse to Status > Gateways on fw1-HQ. Within a few seconds, WAN should show as offline. Once it does, try to browse out from LAN to the Internet. You should now be using WAN2.
Once tested, normalize your lab by logging back into your Lab Internet Router (http://100.64.0.1) and check the Enable box in the HQ-WAN1 interface. Your WAN gateway should then come back online.
This completes the multi-WAN lab.
Source: Netgate pfSense Plus Fundamentals and Practical Application — Lab 8 (Multi-WAN).
© 2021 Rubicon Communications, LLC (Netgate).
Reference WAN2 IP: 198.51.100.2/24, Gateway: 198.51.100.1
Previous Module: Training: Multi-WAN