pfSense Multi-WAN Configuration: Part Three

pfSense multi-WAN

Advanced Outbound NAT settings in pfSense 2.2.4.

Some multi-WAN configurations require special workarounds because of limitations in pfSense. This article covers those special cases.

Because of the way pfSense distributes traffic over multiple Internet connections using the same gateway IP, you will need to insert a NAT device between all but one of those connections. This is not an elegant solution, but it is a workable one.

pfSense can only accommodate one PPPoE or PPTP WAN connection. Therefore, OPT WAN interfaces cannot use PPPoE or PPTP WAN types. If you need to use PPPoE or PPTP, the best workaround is to use them on your modem or another firewall. Most DSL modems can handle PPPoE and either directly assign your public IP to pfSense or give it a private IP and provide NAT. Public IP passthrough is possible on many modems and is the preferred means of doing this.

pfSense Multi-WAN: NAT Rules

The default NAT rules generated by pfSense will translate any traffic leaving the WAN or an OPT WAN interface to that interface’s IP address. In a default two interface LAN and WAN configuration, pfSense will NAT all traffic leaving the WAN interface to the WAN IP address. The addition of OPT WAN interfaces extends this to NAT any traffic leaving an OPT WAN interface’s IP address. This is the default behavior and is all handled automatically unless Advanced Outbound NAT is enabled. The policy routing rules direct the traffic to the wAN interface used, and the outbound and 1:1 NAT rules specify how the traffic will be translated. If you require Advanced Outbound NAT with multi-WAN, you will need to configure NAT rules for all your WAN interfaces.

When using port forwarding with a multiple WAN setup, keep in mind that each port forward applies to a single WAN interface. A given port can be opened on multiple WAN interfaces by using multiple port forward entries, one per WAN itnerface. The easiest way to accomplish this is to add the port forward on the first WAN connect, then click the plus button to the right of that entry to add another port forward based on that one. Change the interface to the desired WAN interface, and press the Save button.

1:1 NAT entries are specific to a single WAN interface. Internal systems can be configured with a 1:1 NAT entry on each WAN interface, or a 1:1 entry on one or more WAN interfaces and use the default outbound NAT on others. Where 1:1 entries are configured, they always override any other Outbound NAT configuration for the specific interface where the 1:1 entry is configured.

External Links:

Network Load Balancing on Wikipedia

pfSense PPPoE Server Configuration

In previous articles, setting up VPN tunnels in pfSense was discussed, but not how to set up a server using Point-to-Point Protocol over Ethernet for a VPN. In this article, I will describe how to set up a pfSense PPPoE server.

Point-to-Point Protocol Explained

pfSense PPPoE Server

Configuring a PPPoE server in pfSense 2.0.

The Point-to-Point Protocol over Ethernet is a network protocol for encapsulating PPP frames inside Ethernet frames. It was defined in RFC 2516 in February 1999. PPPoE was developed to solve a problem DSL service providers were encountering. In the mid and late 1990s, dialup service using Point-to-Point Protocol (PPP) was the dominant means of connecting to the internet for home users, whereas small office/home office (SOHO) users who did not require or could not afford a T1 or faster but found dialup insufficient gravitated towards Integrated Services Digital Network (ISDN) connections. By 1998, DSL technology was becoming more affordable, but a protocol that would work with DSL and meet the requirements of the typical small business customer that DSL providers envisioned as their typical users did not exist. Such a protocol would have to allow for easily connecting an entire LAN to the internet, providing services on a local LAN accessible from the far side of the connection, and simultaneous access to multiple data sources, among other requirements.

DSL providers, hoping to build upon PPP, already ubiquitous with dialup services, soon gravitated towards PPPoE. Essentially all operating systems at the time had a PPP stack, and the design of PPPoE allowed for a simple shim at the line-encoding stage to convert from PPP to PPPoE, thus enabling vendors to heavily leverage their existing software and deliver products quickly. Moreover, since PPPoE used a different frame type, the DSL hardware could act as a simple bridge, passing some frames and ignoring others. As a result, DSL modems could be much simpler than routers. As of 2013, PPPoE seems to be on the way out, as many providers are implementing other methods of broadband delivery. However, PPPoE continues to be in wide use.

Configuring a pfSense PPPoE Server

pfSense PPPoE Server

The newly-created server now appears in the table at Services -> PPPoE Server.

To enable a pfSense PPPoE server, first navigate to Services -> PPPoE Server, then click on the “plus” button to add a new PPPoE instance. On the next page, check “Enable PPPoE Server“. At “Interface“, choose an interface (you probably want to set it to the WAN interface), and at “Subnet Mask“, input the subnet mask. At “No. PPPoE Users“, enter the maximum number of clients you wish to allow. At “Server Address“, set the address to an unused IP address that pfSense will use to serve PPPoE clients. At “Remote Address Range“, set the range range to the starting unused IP address. The range will run as far as the maximum number of clients specified at “No. PPPoE Users“. At “Description“, enter an appropriate description. At “DNS Servers“, you can enter a set of DNS servers or leave it blank if you want the defaults to be used. Unless you want to use a RADIUS server for authentication, skip past the RADIUS settings and scroll down to “User(s)“. Click on the “plus” button and add at least one username, password, and IP address. When you are done, press the “Save” button to save the settings and the next page, press “Apply changes” button to apply the changes.

pfSense PPPoE Server

Adding a firewall rule for the PPPoE server.

Now, all that remains to be done is to add a firewall rule to allow traffic to permit traffic from PPPoE clients. Navigate to Firewall -> Rules and click on the “PPPoE Server” tab. Once there, click on the “plus” button to add a new rule. At “Action“, choose “Pass“, and at “Interface“, choose “PPPoE VPN“. For “Protocol“, select “any”, and for “Destination“, select the target destination for PPPoE clients (e.g. LAN subnet). You can probably keep “Log packets that are handled by this rule” unchecked, and at “Description“, enter an appropriate description. Finally, press the “Save” button to save changes, and “Apply changes” to apply the changes. Once the rule has been created, our pfSense PPPoE server will be ready for to be accessed.

External Links:

pfSense PPPoE Server Settings at

pfSense Setup: Part Three (WAN and LAN Settings)

In pfSense Setup: Part Two,  I covered General Settings within the pfSense web GUI. In this part, I cover configuring the WAN and LAN interfaces. There are a number of different options here; fortunately, pfSense makes the job easy on us by creating reasonable defaults. From the pfSense web GUI menu, go to Interfaces -> WAN.

pfSense Setup: WAN Interface Settings


The WAN settings page in the pfSense web GUI.

The WAN interface provides your connection to the Internet. To access the WAN, you will need a properly-configured WAN interface and an Internet connection. Typically your Internet connection will be through a cable modem provided by your Internet service provider (ISP), but pfSense will support other connection methods as well.

To configure the WAN interface, browse to Interfaces | WAN. Under “General Configuration”, check Enable Interface. You can change the description of the interface (Description).

The next item is “Type”. Here you can choose the interface type. “Static” requires you to type in the WAN interface IP address. “DHCP” gets the IP address from the ISP’s DHCP server, and is probably what you want to select. “PPP” stands for Point-to-Point Protocol, a protocol used for dialup modem connects as well as T-carrier, E-carrier connections, SONET and SDH connections and higher bitrate optical connections. “PPPoE” stands for Point-to-Point Protocol over Ethernet and is used by a number of DSL providers. “PPTP” stands for Point-to-Point Tunneling Protocol and is a method for implementing virtual private networks (VPNs); unless your WAN interface is a VPN you won’t want to choose this option. “L2TP” stands for Layer 2 Tunneling Protocol, a tunneling protocol also used with VPNs.

The next option is MAC address. Typing in a MAC address here allows you to “spoof” a MAC address. The DHCP servers of ISPs assign IP addresses based on MAC addresses. But they have no way of verifying a MAC address, so by typing a different MAC address, you can “force” your ISP’s DHCP server to give you another IP address. Unless you want to spoof your MAC address, you can leave this field blank. MTU stands for maximum transmission unit. Larger MTUs bring greater efficiency but also greater latency. This should probably be left unchanged. MSS stands for maximum segment size, and specifies the largest amount of data pfSense can receive in a single TCP segment. This also should likely be left unchanged.

The next section is different depending on what you selected for the interface type. If you selected “DHCP”, the options will be “Hostname” and “Alias IP Address”. Hostname can be left blank unless your ISP requires it for client identification, and Alias IP address can also be left blank unless the ISP’s DHCP client needs an alias IP address.

The next section is “Private Networks”. Checking “Block private networks” ensures that 10.x.x.x, 172.16.x.x, and 192.168.x.x addresses, as well as loopback addresses (127.x.x.x) are non-routable. This should be left checked under most circumstances. “Block bogon networks” blocks traffic from IP addresses either reserved or not yet assigned by IANA. This should be left checked as well, for obvious reasons.

Save the options and move on to Interfaces -> LAN.

pfSense Setup: LAN Interface Settings


The LAN settings page in the pfSense web GUI.

Under “General Configuration”, “Enable Interface” should be checked, since unchecking it will prevent the local network from connecting to the router. “Description” allows you to type in a description of the interface.

“Type” allows you to choose an interface type. See the section on WAN settings for an explanation of each of the options. “MAC address” allows you to type in a different MAC address in order to do MAC address spoofing. Again, see the section on WAN interface settings for a more detailed explanation. “MTU” and “MSS” are also explained under WAN settings. “Speed and duplex” allows you to explicitly set speed and duplex mode for the interface; pfSense should autodetect this, so this option should be left unchanged.

If you selected “Static” for the interface, there should be a “Static IP Configuration” section with two options: “IP address” and “Gateway”. With “IP address”, you can change the IP address of the LAN interface (it defaults to

The next section is “Private networks”. The two options are “Block private networks” and “Block bogon networks”. See the section on configuring the WAN interface for detailed explanations of these options.

That does it for WAN and LAN settings. In pfSense Setup: Part Four, I will take a look at setting up an optional interface.

The Rest of the Guide:

Part One (installation from LiveCD)

Part Two (configuration using the web GUI)

Ad Links:

© 2013 David Zientara. All rights reserved. Privacy Policy