{"id":1218,"date":"2025-05-30T22:00:44","date_gmt":"2025-05-31T06:00:44","guid":{"rendered":"https:\/\/angrysysadmins.tech\/?p=1218"},"modified":"2025-05-30T22:00:44","modified_gmt":"2025-05-31T06:00:44","slug":"pfsense-nat-firewall-rules-for-multi-wan-setups","status":"publish","type":"post","link":"https:\/\/angrysysadmins.tech\/index.php\/2025\/05\/grassyloki\/pfsense-nat-firewall-rules-for-multi-wan-setups\/","title":{"rendered":"pfSense: NAT firewall rules for Multi-WAN setups"},"content":{"rendered":"

This guide assumes that you have setup Gateway groups with the appropriate tiers as well as DDNS setup. For my setup, I have 3 tiers (Fiber, coaxial, and LTE through a VPN to a VPS provider) and I use Cloudflare as my DDNS provider. Both are needed for this to work properly. In order this work with only 1 rule, you need to make an alias.<\/p>\n

Why the script?<\/h2>\n

The way pfSense handles multi WAN is… interesting to say the least. In order to save yourself from duplicating the rules for each interface, its advised to set an alias and have every NAT and inbound WAN rule use it. Well, in the land of IPv6 and most IPv4 setups, those addresses change all the time. This script ensures that the alias is always up to date with the latest WAN addresses.<\/p>\n

Obtaining and modifying the script<\/h2>\n

You can get the script from my github here: https:\/\/github.com\/Grassyloki\/Pfsense-Update-ip-alias<\/a><\/p>\n

Edit the following variables at the top of the script:<\/p>\n

\n
# Configuration<\/span>\r\nWAN_INTERFACES=\"<\/span>wan wan2 ovpnc1\"<\/span><\/span>  # Your WAN interfaces<\/span>\r\nALIAS_NAME=\"<\/span>WAN_IPS\"<\/span><\/span>              # Name of the pfSense alias<\/span>\r\nALIAS_DESC=\"<\/span>WAN IP Addresses\"<\/span><\/span>     # Description for the alias<\/span><\/pre>\n<\/div>\n
Adjust the WAN_INTERFACES<\/code> variable to list all your WAN interfaces. For example:<\/p>\n