Justinaquino: Created page with "NOTOC
'''Netgate pfSense Plus Fundamentals — Lab 8: Multi-WAN'''
Adding WAN2, configuring gateway groups, failover, failback, firewall rules, NAT, and testing.
This lab covers adding a second WAN interface to HQ, configuring the interface, gateway groups, firewall rules, NAT and related topics for multi-WAN, then testing its failover and failback. == Con..."

2026-04-23T07:06:59Z

Created page with "__NOTOC__ <div style="background:#fff3e6;border:1px solid #ff9900;padding:10px;margin-bottom:15px;"> '''Netgate pfSense Plus Fundamentals — Lab 8: Multi-WAN'''<br/> <i>Adding WAN2, configuring gateway groups, failover, failback, firewall rules, NAT, and testing.</i> </div> This lab covers adding a second WAN interface to HQ, configuring the interface, gateway groups, firewall rules, NAT and related topics for multi-WAN, then testing its failover and failback. == Con..."

New page

__NOTOC__

<div style="background:#fff3e6;border:1px solid #ff9900;padding:10px;margin-bottom:15px;">
'''Netgate pfSense Plus Fundamentals — Lab 8: Multi-WAN'''<br/>
<i>Adding WAN2, configuring gateway groups, failover, failback, firewall rules, NAT, and testing.</i>
</div>

This lab covers adding a second WAN interface to HQ, configuring the interface, gateway groups, firewall rules, NAT and related topics for multi-WAN, then testing its failover and failback.

== Configuring WAN2 Interface ==

=== Adding the WAN2 Interface ===

Browse to '''Interfaces > Assign''', and verify that your OPT2 interface is assigned to vtnet3. Browse to '''Interfaces > OPT2'''. Configure the interface as follows:

{| class="wikitable"
! Setting !! Value
|-
| Enable || check
|-
| Description || WAN2
|-
| IPv4 Type || Static
|-
| IPv4 Address || 198.51.100.2/24
|-
| Gateway || add new
|-
| — Name || GW_WAN2
|-
| — IP || 198.51.100.1
|}

Save and Apply Changes.

=== Verifying WAN2 Connectivity ===

After adding a new WAN, the fastest way to verify it’s online is by browsing to '''Status > Gateways'''. It should show green and online there. To verify Internet connectivity, browse to '''Diagnostics > Ping'''. Enter any Internet host that replies to pings in the “Host” box (such as google.com), choose Source Address '''WAN2''', and click Ping. You should receive replies.

== Configuring DNS Servers ==

At least one DNS server must be reachable via each WAN so a single connection's failure doesn't result in DNS failing.

* In a production environment, at least one DNS server should be assigned to each WAN.
* In this lab network, DNS servers are local to the WAN and WAN2 networks, so we will not assign them to specific gateways.

Browse to '''System > General Setup'''. There you will see the existing entry for 192.0.2.1. In a real production environment, you may consider assigning this to GW_WAN, however that is not possible or necessary here as 192.0.2.1 exists in the same network as the WAN.

Add '''198.51.100.1''' as a secondary DNS server. In a real production environment, you may consider assigning this to GW_WAN2, however that is not possible or necessary here as 198.51.100.1 exists in the same network as the WANs.

Click Save.

== Configuring Monitor IPs ==

The system will ping its monitor IP for each gateway to determine gateway status. By default, the gateway's IP is used. For multi-WAN scenarios, that is probably not a good choice.

* Your default gateway may be a local router within your facility, unlikely to ever go down when your Internet goes down.
* Or problems in your ISP's network further upstream could cause loss of connectivity.
* Using an IP out on the Internet as the monitor IP offers a better test of connectivity.

Use of anycasted IPs is best:
* Google public DNS: 8.8.8.8 and 8.8.4.4
* OpenDNS: 208.67.220.220 and 208.67.222.222

Browse to '''System > Routing'''. Edit '''GW_WAN'''. For monitor IP, fill in '''8.8.8.8'''. Save. Then edit '''GW_WAN2''', and set its monitor IP to '''8.8.4.4'''. Save, then Apply Changes.

== Configuring Gateway Groups ==

Configure three gateway groups for use at HQ:
# One that prefers WAN and fails over to WAN2.
# One that prefers WAN2 and fails over to WAN.
# One that load balances across both.

Browse to '''System > Routing''', and click the '''Groups''' tab. Click '''+Add''' to add a new group.

=== WAN to WAN2 ===

This gateway group prefers WAN (tier 1) and fails over to WAN2 (tier 2). Then click Save.

=== WAN2 to WAN ===

Click the duplicate symbol to the right of the WANtoWAN2 group to create a new group based on this one, then flip the tiers, group name and description. This prefers WAN2, and fails over to WAN.

=== Load Balance ===

This load balances across both WAN and WAN2. If a WAN fails, it's removed from the load balancing pool.

== Configure NAT for Multi-WAN ==

The NAT configuration is all on a per-interface basis, specifying one particular interface and having IP information that's specific to that interface. When you add a new WAN, you also need NAT configuration specific to that new WAN.

=== Configuring Virtual IPs on WAN2 ===

WAN2 will have 3 virtual IPs configured as IP aliases:

{| class="wikitable"
! IP/mask !! Description
|-
| 198.51.100.4/32 || server1 WAN2 external address
|-
| 198.51.100.5/32 || server2 WAN2 external address
|-
| 198.51.100.6/32 || extra WAN2 external address
|}

Repeat the process for the remaining IPs.

=== Configuring Port Forwards on WAN2 ===

To open the same ports on WAN2 as on WAN, duplicate the existing port forward entries and change their interface from WAN to WAN2.

Browse to '''Firewall > NAT''', '''Port Forwards''' tab. Click the duplicate symbol to the right of the “VNC to hqclient” entry. In the resulting screen, change the interface from WAN to WAN2. Note how the destination address automatically changes to “WAN2 address.” Verify that change, update the description if desired, then save.

Repeat that process for the port 222 SSH port forward to hq-client.

=== Configuring 1:1 NAT on WAN2 ===

Configure 1:1 NAT for server1 and server2 on WAN2.

{| class="wikitable"
! Setting !! server1 !! server2
|-
| Interface || WAN2 || WAN2
|-
| External IP || 198.51.100.4 || 198.51.100.5
|-
| Internal IP || 172.17.2.10 || 172.17.2.20
|-
| Description || server1.example.com WAN2 || server2.example.com WAN2
|}

Save and apply changes.

=== Configuring Outbound NAT on WAN2 ===

Since the configuration is using manual outbound NAT, add outbound NAT rules for WAN2.

Browse to '''Firewall > NAT''', '''Outbound''' tab. Click the duplicate symbol to the right of “hq-client out via .6” to add a new entry based on that one. Change the interface to WAN2, and the Translation address to 198.51.100.6.

Repeat the same process for the two other outbound NAT rules.

== Configuring WAN2 Firewall Rules ==

We want the same external access on WAN2 as is already active on WAN, permitting certain traffic through the 1:1 NATs for server1 and server2. Interface groupings do not support return routing at this time, so the rules must be kept on each WAN separately.

Browse to '''Firewall > Rules''', WAN tab. Click the duplicate symbol to the right of “allow web ports to public web servers” to duplicate it, change the interface from WAN to WAN2, and click Save. Because the NAT applies first, the firewall rule is otherwise identical to the one on WAN.

Repeat the same process for rules “allow pings to public web servers” and “allow SSH to web servers from remote admin.”

== Configure Firewall Rules for Outbound Traffic ==

In a multi-WAN environment, outbound traffic is directed to a particular WAN or gateway group via policy routing with firewall rules.

=== Test WAN2 with Single Client ===

First, send only HQ-client out via WAN2. It's generally best to first test a new WAN with a single client.

Browse to '''Firewall > Rules''', LAN tab, and click Add to add a rule to the top of the list:

{| class="wikitable"
! Setting !! Value
|-
| Action || Pass
|-
| Interface || LAN
|-
| Protocol || any
|-
| Source || Single host or alias, 172.17.1.100
|-
| Destination || any
|-
| Description || hq-client1 prefer WAN2
|-
| Gateway (Advanced Options) || WAN2toWAN
|}

Save and apply changes.

=== Testing LAN out WAN2 ===

Open hq-client1's web browser and browse to http://100.64.0.50. You should be able to connect, and see you're coming from 198.51.100.6, the WAN2 VIP where hq-client1 is NATed.

=== Configure LAN for Failover Group ===

The “hq-client1 prefer WAN2” rule was only for testing. Delete that rule now.

Then edit the “Default allow LAN to any” rule, and choose Gateway '''WANtoWAN2'''. Verify Internet connectivity is still functioning from hq-client1.

=== LAN to DMZ Connectivity ===

Try to ping 172.17.2.10 from hq-client1. You won't receive a successful reply because traffic matching a firewall rule specifying a gateway is forced to that gateway. The attempt to get to DMZ is actually being sent to the WAN ISP's router, which can't route internal traffic.

=== Add LocalNetworks Alias ===

Add an alias containing destinations that will not be policy-routed to the Internet.

Browse to '''Firewall > Aliases''' and click '''+Add''':

{| class="wikitable"
! Setting !! Value
|-
| Name || LocalNetworks
|-
| Description || networks that will not be policy routed to Internet
|-
| Type || Network
|-
| Network 1 || 172.17.0.0/16 (HQ)
|-
| Network 2 || 172.18.0.0/16 (branch)
|}

Save and apply changes.

=== Add Firewall Rule for Negation ===

Browse to '''Firewall > Rules''', LAN, and click Add to add a new rule to the top of the list:

{| class="wikitable"
! Setting !! Value
|-
| Action || Pass
|-
| Interface || LAN
|-
| Protocol || any
|-
| Source || LAN net
|-
| Destination || Single host or alias, LocalNetworks alias
|-
| Description || allow local networks with no policy routing
|-
| Gateway || Leave at default
|}

Start a new ping to 172.17.2.10 and it will reply. If you still aren't getting a ping reply, it's probably because of an old firewall state. Reset states under '''Diagnostics > States''', or delete those specific states, and try again.

== Default Gateway Switching ==

At this point, all traffic sourced from inside the LAN or DMZ destined for the internet will follow the policy route. However, the default route on the firewall is still pointing to WAN1. In the event of a WAN1 failure, traffic sourced by the firewall itself will not be able to reach the internet.

Navigate to '''System > Routing''' and set '''Default gateway IPv4''' to '''Automatic''' and click Save.

== Testing Failover ==

Now that failover is configured, it's important to test it. Create a failure on WAN to verify it switches over to WAN2.

In the virtual lab environment, shutdown the WAN1 NIC on “Lab Internet router.” Point your web browser to your Lab Internet Router (http://100.64.0.1) and browse to '''Interfaces > HQ_WAN1'''. Uncheck the Enable box at the top and click OK, then Apply.

Now browse to '''Status > Gateways''' on fw1-HQ. Within a few seconds, WAN should show as offline. Once it does, try to browse out from LAN to the Internet. You should now be using WAN2.

Once tested, normalize your lab by logging back into your Lab Internet Router (http://100.64.0.1) and check the Enable box in the HQ-WAN1 interface. Your WAN gateway should then come back online.

This completes the multi-WAN lab.

----

<div style="background:#f0f0f0;border:1px solid #ccc;padding:8px;">
'''Source:''' Netgate pfSense Plus Fundamentals and Practical Application — Lab 8 (Multi-WAN).<br/>
© 2021 Rubicon Communications, LLC (Netgate).<br/>
'''Reference WAN2 IP:''' 198.51.100.2/24, Gateway: 198.51.100.1
</div>

'''Previous Module:''' [[Training:_Multi-WAN|Training: Multi-WAN]]

Training Lab 8: Multi-WAN - Revision history