Read this thread
http://forum.pfsense.org/index.php/topic,67045.0.html

quote>–-So that part is working until I get to the public IP addresses that were assigned to me. 209.37.20.65/27 ( made up the ip addresses but they are similar) I cannot figure out how or what I am doing at this point.

this circuit I has a block of IP addresses in the class c range that are supposed to be routed to the other Public Ip in the A class that they gave me. I tried putting in the 12.x.x.x ip address as the DG and using the first IP address in the C class as the IP on the WAN interface. I then put the remaining IP addresses as IP Aliases under CARP settings. I can ping the public IP addresses from the LAN side but cannot ping from a different circuit on the WAN side. When I do trace route it is one hop.

In review. When I use the 12.x.x.x settings the circuit will start routing and work. Once I told the ATT rep that that was working he went ahead and assigned me the block of IP addresses in the class C range. So I assumed they use the 12.x.x.x to provision the circuit, test it out and then assign the real IP addresses but using the Class C settings as I have for many years results in no surfing. The only thing I could get from the tech was I need to put the 12.x.x.x IP address as the DG. The graphic below is a sample config from a Cisco


have you tried searching the forums? believe it or not, you are not the first one to have these problems. :)

http://forum.pfsense.org/index.php?topic=44529.0

CMB said this in the thread above: Microsoft finally dropped some code to provide proper FreeBSD support, which we'll integrate when we get to a base version that supports it (2.2). In the mean time, hyper-v isn't a great option.

Hi ssheikh, thanks a lot for your swift reply!

I'll ask to enable the promiscuous mode only for WAN, LAN and OPT1 (DMZ) interfaces, than.

Kind regards,

Luigi

Your NAT rules should not apply NAT to traffic originating from the firewall itself. (e.g. you do NOT want a source of "any" on NAT rules, but the LAN subnet or an alias of your internal subnets)

Found the answer –> http://forum.pfsense.org/index.php/topic,66838.0.html

Well, the solution is the same :)
You do SNAT to virtual IP.

Create alias with the virtual IP, then do Outbound NAT:
IF Source is your WAN_IP THEN Translate address to VIP_ALIAS

It's not possible to utilize both CARP nodes at the same time for outbound traffic from the same internal systems.

If your drops were done using LACP to a switch on WAN doing LACP, rather than direct to your individual nodes, it may work, but without two stackable switches there you'd lose some redundancy.

@doktornotor:

So you basically broke a working sensible setup to replace it with this horrible kludge? Uh. Either undo the harm you did, or stick everything on one subnet.

I undid the harm by removing the Virtual IPs, and I did set the IP addresses for each interface since the Virtual IP routine didn't have enough options.

So this pretty much solved the problem.

Thanks.

What about your firewall rules on the lan interface ?

Have a look at this post:

http://forum.pfsense.org/index.php/topic,63309.0.html

@KurianOfBorg:

Definitely sounds like the routing. An IP alias is just like adding an additional IP on your PC. By default, everything binds to it.

There were no routes added manually to the system, so it has to be something with Racoon/ipsec and the way it "takes over" in a sense.

It's exactly the same as it was before, just with a more appropriate name and location. The config options and settings are all the same, the only difference is where the page is located and its name.

how about using 1 pfsense only (without all the CARP things)…...can 1 pfsense ping all the public ip ...?? if not, ISP problem, if yes, your pfsense CARP setup problem.

just try to help…

1. First, make sure on single pfsense server, you can go out to internet....

enable automatic nat, removed all the static nat entries configure you pc gateway point to 192.168.1.252 make sure your pfsense WAN have default gateway point to the router (i noticed your wan gateway is in different subnet ???)

Make sure step 1 is successful before proceed to step 2

2. repeat the above for the second pfsense server and point your pc gateway to 192.168.1.253

3. Configure CARP... make pfsense server 1 Master on both LAN & WAN
point your PC gateway to 192.168.1.254...it should work...

Actually it depends on your setup…..automatic load balance not possible....but you can do manual redirect traffic to different pfsense server based on CARP priority on multiple VLANs setup.

@jimp:

No, but that's not pfSense's fault, it's VMware.

You can make a port group just for the ports of the firewall, and make that promiscuous, and then have another different port group for the clients that is not promiscuous.

Thankx, works great.

@jflsakfja:

I stand corrected on the backup sync settings then. If syncing certificates, wouldn't this also affect the webgui cert? (hostname on backup system is different than the master)

Yes but that is easily solved by either using the same GUI cert for both, or by importing the cert from the secondary to the master before setting up the sync. Then re-select the correct GUI cert after the sync.

Thank you very much. I will try changing this options and tell you how it work.