Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: metaplop on January 28, 2021, 06:12:21 PM

Title: Multi-wan and port-forward to one server
Post by: metaplop on January 28, 2021, 06:12:21 PM
Hello, I have 2 WAN connections (handled by 2 different opnsenses cluster in different buildings, ie 4 opnsenses in 2 clusters) and a DMZ handled but another opnsense cluster. I would like to make a port-forward from both WAN connections to the same server:

Code Select
   pubip1                                        pubip2
-----------                                  -----------
|  ISP-1  |                                  |  ISP 2  |
-----------                                  -----------
      |                                            |
------------          -------------          ------------
| FW-WAN-1 |----------| FW-DMZ-IN |----------| FW-WAN-2 |
------------   vlan1  -------------   vlan2  ------------
                             | vlan10
                        ------------
                        |  SERVER  |
                        ------------

I can enter from both pubip to the server (port forward OK on WAN openses) but reply (ack packet) goes only to one connexion (to vlan2 in my case).

I tried to play with Sticky connexions, States by interface. I also tried to set local tag on vlan1 incoming packet on FW-DMZ-IN to match reply packets and add a policy routing rule but it seems to be ignored.

Is it possible to do that ? Does anyone has tips ?
Title: Re: Multi-wan and port-forward to one server
Post by: rt050 on January 28, 2021, 07:47:11 PM
Could you clarify what you're trying to achieve?

Do the two wan connections have their own IP?

Sounds like you want a load balance or IP fail over?
Title: Re: Multi-wan and port-forward to one server
Post by: metaplop on February 01, 2021, 12:46:30 AM

Hello, yes two connections have their own ip let's say 1.2.3.4 and 5.6.7.8 and the server 192.168.0.1. I want that fw-wan-1 port-forward pubip1 1.2.3.4:80 to server 192.168.0.1:80 and that fw-wan-2 port-forward pubip2 5.6.7.8:80 to the same server 192.168.0.1:80

Port forward works but reply packets are sent to only fw-wan-2. I want that server's reply to incoming connection from fw-van-1 go to fw-wan-1 and that reply from incoming connection from fw-wan-2 go to fw-wan-2.

In other words: i want some services (http or smtp for example) to be reachable from two different public ips coming from two isp but served by the same server.

Title: Re: Multi-wan and port-forward to one server
Post by: thebull on June 02, 2021, 11:09:00 PM
Is there a solution available? Running in the same issue?
Title: Re: Multi-wan and port-forward to one server
Post by: thebull on June 03, 2021, 10:20:15 AM
Spend some time into this, the solution to have both WAN address responding to the internet. For example host one webserver on 2 WAN connections. Its related to one single note under the NAT help, you need to use "add associated fw rule" instead of pass.

NOTE: The "pass" selection does not work properly with Multi-WAN. It will only work on an interface containing the default gateway.

(https://i.imgur.com/6r4790e.png)

(https://i.imgur.com/W7p10RB.png)
Text only | Text with Images