Multi-WAN and NAT

The default NAT rules generated by pfSense will translate any traffic leaving a WAN-type interface to that interface IP address. In a default two interface LAN and WAN configuration, pfSense will NAT all traffic from the LAN subnet leaving the WAN interface to the WAN IP address. Adding more WAN-type interfaces extends this to NAT any traffic leaving an WAN-type interface to that interface IP address. This is all handled automatically unless Manual Outbound NAT is enabled.

Policy routing firewall rules direct the traffic to the WAN interface used, and the Outbound and 1:1 NAT rules specify how the traffic will be translated as it leaves that WAN.

Multi-WAN and Manual Outbound NAT

If Manual Outbound NAT must be used with multi-WAN, ensure NAT rules are configured for all WAN-type interfaces.

Multi-WAN and Port Forwarding

Each port forward applies to a single WAN interface. A given port can be opened on multiple WAN interfaces by using multiple port forward entries, one per WAN interface. The easiest way to accomplish this is:

  • Add a port forward on the first WAN connection as usual
  • Click fa-clone to the right of that entry to add another port forward based on the selected one
  • Change the Interface to the desired WAN
  • Click Save

The reply-to keyword in pf, used on WAN-type interface rules, ensures that when traffic comes in over a specific WAN interface, the return traffic will go back out the way it came into the firewall. So port forwards can be actively used on all WAN interfaces at any time, regardless of any failover configuration that may be present. This is especially useful for mail servers, as an address on a secondary WAN can be used as a backup MX, allowing the site to receive mail even when the primary line is down. This behavior is configurable, for information on this setting, see Disable Reply-To.

Multi-WAN and 1:1 NAT

1:1 NAT entries are specific to a single WAN interface and, like outbound NAT, only controls what happens to traffic as it leaves an interface. Internal systems can be configured with a 1:1 NAT entry on each WAN interface, or a 1:1 entry on one or more WAN interfaces and use the default outbound NAT on others. Where 1:1 entries are configured, they always override any other Outbound NAT configuration for that specific interface.

If a local device must always use a 1:1 NAT entry on a specific WAN, then traffic from that device must be forced to use that specific WAN gateway.