0 votes
We're trying to replace an Endian firewall with a ClearOS based one.

We have 3 WAN interfaces, and 2 LAN interfaces (one of which is a VLAN aliased on the single physical LAN interface, the VLAN is for public wifi access). We don't want auto-failover, and we don't want balancing, we just want three WAN interfaces routing traffic based on where it originated.

On each of the 3 WAN interfaces we have a static block of IPs, and each one should be 1-to-1 NAT'ed to internal IPs. Traffic arriving on a particular WAN interface will naturally return via that interface. Any traffic originating on our LAN from any IP other than those which are 1:1 mapped should be routed via the default gateway (which is one specific WAN interface).

However, what is happening, is that while I can see traffic arriving from the WAN interfaces, anything destined to a 1-to-1 NAT just disappears. I can see it in tcpdump arriving, but it never exits the firewall onto the LAN, no traffic is being 1-to-1 NAT'd. I also noticed that the NTP server is listening on ALL interfaces including these 1-to-1 NAT interfaces, when we only want it responding to NTP requests from inside the LAN. Second, even though the default gateway is set correctly, all traffic is routing via one of the other WAN interfaces instead by default, if it's routing at all.

What could be causing 1-to-1 NATs to not actually pass through and NAT to the internal IPs? Why is traffic routed (when it makes it that far) out the wrong WAN?
Thursday, December 15 2016, 02:12 AM
Share this post:
Responses (1)
  • Accepted Answer

    Thursday, December 15 2016, 12:53 PM - #Permalink
    0 votes
    I can't help with MultiWAN and 1-to-1 NAT, but I wouldn't worry about NTP. Although it is listening on all interfaces, the firewall should not let in requests from the WAN, but it will let in replies to requests NTP sends out to upstream NTP servers.
    The reply is currently minimized Show
Your Reply