pfSense English Support > Routing and Multi WAN

Force ISP route over WAN2 to access WAN1 IP from LAN2

(1/2) > >>


I'm using pfSense for almost 8 years now and want to thank everybody for this multitalented and easy to use piece of work.

In my 2WAN/2LAN setup there is one thing I have not been able to get working:

How can I make pfSense route traffic from LAN2 via WAN2 when LAN2 tries to access the public IP of WAN1? I want the traffic to go to the ISP2 and then return via ISP1. I do not want to use something like NAT reflection or split DNS to make it work internally.

I tried the basics first: setting the gateway to WAN2 in a rule for IPv4 traffic from LAN2 to WAN1 IP. Alternatively I created a rule for IPV4 traffic from LAN2 to "any" with the gateway set to WAN2. I tried it as interface rules and as floating rules. All variants make LAN2 access the web interface of pfSense on port 443 instead when trying to access https://PUBLIC-WAN1IP-HOSTNAME.

But in my configuration the pfSense web interface is not reachable over WAN1 because of port forwarding of 443 to a web server. So the traffic did not leave pfSense via WAN2 to reenter via WAN1 and to get port forwarded. If I disable the rule the access to WAN1:443 is effectively denied for LAN2 by a floating deny all rule I have in my configuration, so the allow rule is really doing something. Seems to me the internal routing has an "uncanny" priority over the rule gateway in this case.

I tried to find a post matching this scenario but I could not find something that really matches my use case.

If you could give a hint how to proceed I would really appreciate it.


Use a separate router for each ISP!

There is no possibility to route traffic to an IP, which is assigned to an interface of pfSense itself, over another gateway.

That was the configuration I had until 2 months ago, but I needed the public IPs to be on the pfSense side to get unnatted VPN on both WANs.

So maybe I could use 2 pfSense routers, one for each ISP, but how to do the WAN failover - with a 3rd pfSense? (just thinking loud, no answer required)

I will think about it. Thanks for your help, viragomann.


Why would you want to do something like that... So you want traffic to go all the way up your wan pipe to your ISP2, then across the internet and come down your wan 1 pipe to hit a IP on your wan1 interface.. To be forwarded in... WHAT?

Why???  Makes NO sense at all....

That like say hey I need to go next door to borrow a cup of sugar... Let me get in my car drive around the city.  Stop at neighbors house, then drive all the way back around the city to get back to my house.. 

I would love to hear how this in anyway shape or form makes a lick of sense...

Hey johnpoz,

the reason is quite simple: testing and saving money. I want to have the perspective of a direct connection to the internet (from LAN2 via WAN2) trying to access WAN1 from the outside without any special firewall rules involved like many people have them at home without leasing a 3rd line myself. This way I can test access to WAN1, e.g. web services and VPN from a "home" perspective. I did this with a 3rd line for many years and there have been some cases where this helped to resolve configuration issues on the client or server side that were not obvious when accessing WAN1 internally from LAN1.

As far as I can see I could still use NAT reflection to simulate the overall behaviour.



[0] Message Index

[#] Next page

Go to full version