[Solved] Can't get Dual WAN SNAT for specific LAN networks to specific WAN

Started by really_lost, August 03, 2025, 04:05:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 03, 2025, 04:05:30 PM Last Edit: August 03, 2025, 05:05:49 PM by really_lost Reason: Solved
I'm certain I'm an idiot and I'm missing something obvious.

I've have multiple LAN networks.  Until recently my WAN was solely a Comcast Business with static IPs, meaning I have an ipv4 /29 and an ipv6 /59.  I now have a Surf internet fiber connection.  Ultimately, I'd like to have some LANs (WiFi, IOT, wired family computers) use the new fiber connection but have my two server LANs (internal servers and DMZ servers) use the Comcast one.

I have always had Manual Outbound NAT rules working for all networks, along with a few outbound port and inbound port rules.  I don't remember if the need to set explicit Outbound NAT was due to the tutorial I followed for Comcast Business or if it was a desire to block the round robin IP usage.  In any case, it has been working.

I've been trying to just get the WiFi working, and am failing.  Details below, but in a nutshell, WiFi is 192.168.253.0/24 and when setting up a NAT using my new fiber, packet captures show an un-NAT'd 192.168.253.x IP going out my Comcast WAN, which is the default route. 

If I leave the existing Comcast Outbound NAT in place, everything works.  Packet captures show traffic leaving my Comcast WAN interface using the public IP set in that outbound NAT rule.

If I disable the Comcast Outbound NAT and set up a Surf Fiber Outbound NAT, traffic doesn't work.  Packet captures show the un-NAT'd 192.168.253.0/24 IP of devices on WiFi going out the Comcast WAN interface.  Since those are not routable packets, Comcast drops them.

Clearly SNAT isn't working when I'm trying to use Surf fiber.  I can't figure out what I'm doing wrong.

Gateway settings in GUI:

You cannot view this attachment.

I can ping both the Comcast and Surf upstream gateways.

This screenshot of the Outbound NAT rule for Surf fiber shows the rule disabled, but if I disable the Comcast Outbound rule for WiFi and enable this one, then the WiFi traffic is not SNAT'd and routes out the Comcast default route.

You cannot view this attachment.

So, while there are likely other things I'll need to tweak, it looks to me like the SNATing is not happening.  I'm certain I'm missing something obvious.

August 03, 2025, 05:02:26 PM #1
S-NAT has no impact on routing at all.

If you want to route certain traffic to the non-default gateway you need to add a Policy based routing rule.
August 03, 2025, 05:03:04 PM #2
I am an idiot.

I needed a firewall rule for WiFi right before the default deny that routes all traffic through the Surf gateway.
August 03, 2025, 05:04:18 PM #3
Quote from: viragomann on August 03, 2025, 05:02:26 PMS-NAT has no impact on routing at all.

If you want to route certain traffic to the non-default gateway you need to add a Policy based routing rule.

Thanks!  I'd figured that out just before you posted. I hadn't found the documentation on it.
Print
Go Up Pages1
User actions