Multi-wan and port-forward to one server

Started by metaplop, January 28, 2021, 06:12:21 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 28, 2021, 06:12:21 PM
Hello, I have 2 WAN connections (handled by 2 different opnsenses cluster in different buildings, ie 4 opnsenses in 2 clusters) and a DMZ handled but another opnsense cluster. I would like to make a port-forward from both WAN connections to the same server:

Code Select
   pubip1                                        pubip2
-----------                                  -----------
|  ISP-1  |                                  |  ISP 2  |
-----------                                  -----------
      |                                            |
------------          -------------          ------------
| FW-WAN-1 |----------| FW-DMZ-IN |----------| FW-WAN-2 |
------------   vlan1  -------------   vlan2  ------------
                             | vlan10
                        ------------
                        |  SERVER  |
                        ------------

I can enter from both pubip to the server (port forward OK on WAN openses) but reply (ack packet) goes only to one connexion (to vlan2 in my case).

I tried to play with Sticky connexions, States by interface. I also tried to set local tag on vlan1 incoming packet on FW-DMZ-IN to match reply packets and add a policy routing rule but it seems to be ignored.

Is it possible to do that ? Does anyone has tips ?
January 28, 2021, 07:47:11 PM #1
Could you clarify what you're trying to achieve?

Do the two wan connections have their own IP?

Sounds like you want a load balance or IP fail over?
February 01, 2021, 12:46:30 AM #2

Hello, yes two connections have their own ip let's say 1.2.3.4 and 5.6.7.8 and the server 192.168.0.1. I want that fw-wan-1 port-forward pubip1 1.2.3.4:80 to server 192.168.0.1:80 and that fw-wan-2 port-forward pubip2 5.6.7.8:80 to the same server 192.168.0.1:80

Port forward works but reply packets are sent to only fw-wan-2. I want that server's reply to incoming connection from fw-van-1 go to fw-wan-1 and that reply from incoming connection from fw-wan-2 go to fw-wan-2.

In other words: i want some services (http or smtp for example) to be reachable from two different public ips coming from two isp but served by the same server.

June 02, 2021, 11:09:00 PM #3
Is there a solution available? Running in the same issue?
June 03, 2021, 10:20:15 AM #4
Spend some time into this, the solution to have both WAN address responding to the internet. For example host one webserver on 2 WAN connections. Its related to one single note under the NAT help, you need to use "add associated fw rule" instead of pass.

NOTE: The "pass" selection does not work properly with Multi-WAN. It will only work on an interface containing the default gateway.



Print
Go Up Pages1
User actions