pfSense: NAT firewall rules for Multi-WAN setups

This guide assumes that you have setup Gateway groups with the appropriate tiers as well as DDNS setup. For my setup, I have 3 tiers (Fiber, coaxial, and LTE through a VPN to a VPS provider) and I use Cloudflare as my DDNS provider. Both are needed for this to work properly. In order this work with only 1 rule, you need to make an alias.

Why the script?

The way pfSense handles multi WAN is… interesting to say the least. In order to save yourself from duplicating the rules for each interface, its advised to set an alias and have every NAT and inbound WAN rule use it. Well, in the land of IPv6 and most IPv4 setups, those addresses change all the time. This script ensures that the alias is always up to date with the latest WAN addresses.

Obtaining and modifying the script

You can get the script from my github here: https://github.com/Grassyloki/Pfsense-Update-ip-alias

Edit the following variables at the top of the script:

# Configuration
WAN_INTERFACES="wan wan2 ovpnc1"  # Your WAN interfaces
ALIAS_NAME="WAN_IPS"              # Name of the pfSense alias
ALIAS_DESC="WAN IP Addresses"     # Description for the alias

Adjust the WAN_INTERFACES variable to list all your WAN interfaces. For example:

  • wan – Main WAN interface
  • igb0 – Physical interface name
  • vlan.100 – VLAN interface
  • ovpnc1 – OpenVPN client interface

You can obtain the interface aliases in Interfaces -> Assignments in the web GUI or with the ifconfig command on the command line.

Install the alias script

SSH to the host and put the script in a folder accessible to the chosen user. I put mine in /root/

Next, run the script and verify that the alias output is correct to your config.

Navigate to Services -> Cron, then make a new entry. For my config, this is the settings I’m using:
+———————————————————————-+
| Add A Cron Schedule |
+———————————————————————-+
| Minute | [12 ] |
+——————+—————————————————-+
| Hour | [* ] |
+——————+—————————————————-+
| Day of the Month| [* ] |
+——————+—————————————————-+
| Month of the Year| [* ] |
+——————+—————————————————-+
| Day of the Week | [* ] |
+——————+—————————————————-+
| User | [root ] |
+——————+—————————————————-+
| Command | [/bin/sh /root/update_wan_alias.sh ] |
| |                   [                                                      ] |
| |                   [                                                      ] |
| |                   [                                                      ] |
+——————+—————————————————-+
| |
| [💾 Save] [Cancel] |
+———————————————————————-+

This cron job runs every hour at the 12 minute mark. Adjust to how you see fit. you can test values at https://crontab.guru

Set the firewall rules

 

For each rule you will want to set the Interface to your Interface group (for me this is WANs) and the destination to the alias created by that script, in my case its WAN_IPS

+———————————————————————-+
| Edit Redirect Entry |
+———————————————————————-+
| Disabled | [ ] Disable this rule |
+—————-+—————————————————-+
| No RDR (NOT) | [ ] Disable redirection for traffic matching this rule |
+—————-+—————————————————-+
| Interface | [WANs v] |
+—————-+—————————————————-+
| Address Family | [IPv4 v] |
+—————-+—————————————————-+
| Protocol | [TCP/UDP v] |
+—————-+—————————————————-+
| Source | [ Display Advanced] |
+—————-+—————————————————-+
| Destination | [ ] Invert match. | | [Address or Alias v] | | [WAN_IPS / [ ] |
+—————-+—————————————————-+

 

Repeat this for every rule you have going to your primary WAN and you should be good to go. Feel free to cause a manual failover to test the records. If you have any questions, post em below.

 

About: Ryan Parker

Professionally im a Infrastructure Security Specialist. I current maintain a homelab with about 3TB of RAM, 240+ TB of storage, tons of CPU cores, and 100gbit networking backbone in the garage running up my electricity bill.


Leave a Reply

Your email address will not be published. Required fields are marked *