pfSense: NAT firewall rules for Multi-WAN setups
This guide assumes that you have setup Gateway groups with the appropriate tiers as well as DDNS setup. For my setup, I have 3 tiers (Fiber, coaxial, and LTE through a VPN to a VPS provider) and I use Cloudflare as my DDNS provider. Both are needed for this to work properly. In order this work with only 1 rule, you need to make an alias.
Why the script?
The way pfSense handles multi WAN is… interesting to say the least. In order to save yourself from duplicating the rules for each interface, its advised to set an alias and have every NAT and inbound WAN rule use it. Well, in the land of IPv6 and most IPv4 setups, those addresses change all the time. This script ensures that the alias is always up to date with the latest WAN addresses.
Obtaining and modifying the script
You can get the script from my github here: https://github.com/Grassyloki/Pfsense-Update-ip-alias
Edit the following variables at the top of the script:
# Configuration
WAN_INTERFACES="wan wan2 ovpnc1" # Your WAN interfaces
ALIAS_NAME="WAN_IPS" # Name of the pfSense alias
ALIAS_DESC="WAN IP Addresses" # Description for the alias
Adjust the WAN_INTERFACES
variable to list all your WAN interfaces. For example:
wan
– Main WAN interfaceigb0
– Physical interface namevlan.100
– VLAN interfaceovpnc1
– OpenVPN client interface
You can obtain the interface aliases in Interfaces -> Assignments in the web GUI or with the ifconfig
command on the command line.
Install the alias script
SSH to the host and put the script in a folder accessible to the chosen user. I put mine in /root/
Next, run the script and verify that the alias output is correct to your config.
Navigate to Services -> Cron, then make a new entry. For my config, this is the settings I’m using:
+———————————————————————-+
| Add A Cron Schedule |
+———————————————————————-+
| Minute | [12 ] |
+——————+—————————————————-+
| Hour | [* ] |
+——————+—————————————————-+
| Day of the Month| [* ] |
+——————+—————————————————-+
| Month of the Year| [* ] |
+——————+—————————————————-+
| Day of the Week | [* ] |
+——————+—————————————————-+
| User | [root ] |
+——————+—————————————————-+
| Command | [/bin/sh /root/update_wan_alias.sh ] |
| | [ ] |
| | [ ] |
| | [ ] |
+——————+—————————————————-+
| |
| [💾 Save] [Cancel] |
+———————————————————————-+
This cron job runs every hour at the 12 minute mark. Adjust to how you see fit. you can test values at https://crontab.guru
Set the firewall rules
For each rule you will want to set the Interface to your Interface group (for me this is WANs) and the destination to the alias created by that script, in my case its WAN_IPS
+———————————————————————-+
| Edit Redirect Entry |
+———————————————————————-+
| Disabled | [ ] Disable this rule |
+—————-+—————————————————-+
| No RDR (NOT) | [ ] Disable redirection for traffic matching this rule |
+—————-+—————————————————-+
| Interface | [WANs v] |
+—————-+—————————————————-+
| Address Family | [IPv4 v] |
+—————-+—————————————————-+
| Protocol | [TCP/UDP v] |
+—————-+—————————————————-+
| Source | [ Display Advanced] |
+—————-+—————————————————-+
| Destination | [ ] Invert match. | | [Address or Alias v] | | [WAN_IPS / [ ] |
+—————-+—————————————————-+
Repeat this for every rule you have going to your primary WAN and you should be good to go. Feel free to cause a manual failover to test the records. If you have any questions, post em below.