CARP and VIP's NOT working
-
I'm using pfsense 1.2-BETA-1, I have several Public IP's start from xxx.xxx.xxx.42 to xxx.xxx.xxx.46 with subnet 255.255.255.248. The pfsense box is using IP address xxx.xxx.xxx.43 and I assigned the rest of the IP's (44-46) to several server and I'm place them in my DMZ. So I assign some VIP's with the following configuration:
pfbox :
WAN-
IP : xxx.xxx.xxx.43/29
-
Gateway : xxx.xxx.xxx.41
-
DNS 1 : 202.133.3.237
-
DNS 2 : 202.133.3.7
LAN
- IP : 192.168.0.254/24
DMZ (OPT1)
- IP : 172.16.0.1/24
VIP #1
Type CARP
Interface WAN
Address xxx.xxx.xxx.44/29
VIP pass xxxxxxxx
VHID group 1
Advertising Frequency 0
Description : win serverwin server
-
IP : 172.16.0.2
-
Subnet : 255.255.255.0
-
Gateway : 172.16.0.1
NAT 1:1
-
Interface : WAN
-
External subnet : xxx.xxx.xxx.44/32 (I can't use external subnet xxx.xxx.xxx.44/29, the pfbox will complaint ! ???)
-
Internal subnet : 172.16.0.2/24
and after that I can't connect to the server and I got A LOT of hit in the firewall log to the IP xxx.xxx.xxx.43(the pfbox IP), I wonder what's wrong, is it the NAT or the VIP or there's something that I missed ?
any hint would be helpfull
-
-
do you have firewall-rules on your WAN in place that allow traffic to you Server?
-
NAT 1:1
-
Interface : WAN
-
External subnet : xxx.xxx.xxx.44/32 (I can't use external subnet xxx.xxx.xxx.44/29, the pfbox will complaint ! ???)
-
Internal subnet : 172.16.0.2/24
From the 1:1 Nat Screen:
The subnet size specified for the external subnet also applies to the internal subnet (they have to be the same).
You are making a 1-1, so both subnets should be /32 (A single address) -
-
I can't make the CARP type VIP with subnet xxx.xxx.xxx.44/32 the pfbox will also complaint, it said
Sorry, we could not locate an interface with a matching subnet for 202.133.1.44/32. Please add an ip in this subnet on a real interface.
and I dont have any firewall rules in the WAN interface that either block or allow the traffic, ony more hints please ? :-[
-
if you dont have a rule everything is blocked by default
-
Now I'm placing a rule in the firewall to allow traffic from WAN to xxx.xxx.xxx.44 (the VIP) but I still can't connect to the server, is there any rule that I should add? :-[
-
I can't make the CARP type VIP with subnet xxx.xxx.xxx.44/32 the pfbox will also complaint, it said
Sorry, we could not locate an interface with a matching subnet for 202.133.1.44/32. Please add an ip in this subnet on a real interface.
If you are using a CARP VIP, the subnet mask of the VIP should match the subnet mask of the Interface (/29 in your case). The 1-1 NAT should still be a /32 to match one internal and one external address.
