Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem with firewall and virtual IP addresses.

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 5 Posters 3.2k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      williamsilverstein @stephenw10
      last edited by

      @stephenw10 It didn't work.

      1 Reply Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator
        last edited by

        You can't ping the VIP? And you added firewall rules to allow it?

        Perhaps something in the hypervisor is blocking it?

        1 Reply Last reply Reply Quote 0
        • S Offline
          SteveITS Galactic Empire @williamsilverstein
          last edited by

          @williamsilverstein in general I’d go with 1:1 NAT instead of trying to forward all ports.

          Often in cases like this the server firewall isn’t set to allow connections from outside its subnet but if you disabled the NAT rule and can’t ping pfSense that’s not relevant for that stage.

          Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
          Upvote 👍 helpful posts!

          M 1 Reply Last reply Reply Quote 0
          • M Offline
            marvosa @SteveITS
            last edited by

            @williamsilverstein, If I'm not mistaken, I believe the VIP's need to have the same mask as your WAN subnet. For example, if your ISP assigns a /29 block to you, the VIPs must also be configured with a /29.

            A previous post stated that your WAN interface is configured in the 192.168.0.0/24 subnet; therefore, you'll need to modify your VIP's to reflect a /24 mask... i.e.:

            192.168.0.86/24
            192.168.0.87/24
            192.168.0.88/24

            W 1 Reply Last reply Reply Quote 0
            • W Offline
              williamsilverstein @marvosa
              last edited by

              @marvosa I had tried that.

              F figured out the problem. I was using an IP alias for the target of the NAT redirect target. If I placed the actual value value into the target, it works. Its a bug.

              The inability to ping was the proxmox node firewall was on. I thought I had turned it off.

              S V 2 Replies Last reply Reply Quote 0
              • S Offline
                SteveITS Galactic Empire @williamsilverstein
                last edited by

                @williamsilverstein hmm normally no problem using an alias as a NAT target. Just one IP in it?

                Note without outbound NAT or 1:1 outgoing traffic from that host will use the default WAN IP.

                Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
                Upvote 👍 helpful posts!

                W 1 Reply Last reply Reply Quote 0
                • V Offline
                  viragomann @williamsilverstein
                  last edited by

                  @williamsilverstein said in Problem with firewall and virtual IP addresses.:

                  I was using an IP alias for the target of the NAT redirect target.

                  If there are multiple IPs in the alias or its type is network, port forwarding will not work.

                  1 Reply Last reply Reply Quote 1
                  • stephenw10S Offline
                    stephenw10 Netgate Administrator
                    last edited by

                    Mmm, you should be able to use an alias there. But, yes, it has to be a single IP.

                    1 Reply Last reply Reply Quote 0
                    • W Offline
                      williamsilverstein @SteveITS
                      last edited by

                      @SteveITS I have everything working, but the ssh forward does not work. I can access the server through the webadmin interface, but not ssh 192.168.0.86, it fails. I tried the first rule

                      fe5aa2da-f53e-4f8a-aba5-29a0bf5f156a-image.png

                      46f0629c-f590-4051-9eea-e453244378b3-image.png

                      When I try to access webmin through port 12321 it works, from the same address ssh timesout.

                      Any suggestions?

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        You should not have a source port set in the port forward for it. The source port is almost always a random ephemeral port.

                        W 1 Reply Last reply Reply Quote 3
                        • W Offline
                          williamsilverstein @stephenw10
                          last edited by

                          @stephenw10 That was the problem. Thanks.

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.