CARP and VIP's NOT working

rexsrexs

I'm using pfsense 1.2-BETA-1, I have several Public IP's start from xxx.xxx.xxx.42 to xxx.xxx.xxx.46 with subnet 255.255.255.248. The pfsense box is using IP address xxx.xxx.xxx.43 and I assigned the rest of the IP's (44-46) to several server and I'm place them in my DMZ. So I assign some VIP's with the following configuration:

pfbox :
WAN

• IP : xxx.xxx.xxx.43/29

• Gateway : xxx.xxx.xxx.41

• DNS 1 : 202.133.3.237

• DNS 2 : 202.133.3.7

LAN

• IP : 192.168.0.254/24

DMZ (OPT1)

• IP : 172.16.0.1/24

VIP #1
Type CARP
Interface WAN
Address xxx.xxx.xxx.44/29
VIP pass xxxxxxxx
VHID group 1
Advertising Frequency 0
Description : win server

win server

• IP : 172.16.0.2

• Subnet : 255.255.255.0

• Gateway : 172.16.0.1

NAT 1:1

• Interface : WAN

• External subnet : xxx.xxx.xxx.44/32 (I can't use external subnet xxx.xxx.xxx.44/29, the pfbox will complaint !  ???)

• Internal subnet : 172.16.0.2/24

and after that I can't connect to the server and I got A LOT of hit in the firewall log to the IP xxx.xxx.xxx.43(the pfbox IP), I wonder what's wrong, is it the NAT or the VIP or there's something that I missed ?

any hint would be helpfull

GruensFroeschli

do you have firewall-rules on your WAN in place that allow traffic to you Server?

dotdash

@rexsrexs:

NAT 1:1

• Interface : WAN

• External subnet : xxx.xxx.xxx.44/32 (I can't use external subnet xxx.xxx.xxx.44/29, the pfbox will complaint !  ???)

• Internal subnet : 172.16.0.2/24

From the 1:1 Nat Screen:
The subnet size specified for the external subnet also applies to the internal subnet (they have to be the same).
You are making a 1-1, so both subnets should be /32 (A single address)

rexsrexs

I can't make the CARP type VIP with subnet xxx.xxx.xxx.44/32 the pfbox will also complaint, it said

Sorry, we could not locate an interface with a matching subnet for 202.133.1.44/32. Please add an ip in this subnet on a real interface.

and I dont have any firewall rules in the WAN interface that either block or allow the traffic, ony more hints please ? :-[

GruensFroeschli

if you dont have a rule everything is blocked by default

rexsrexs

Now I'm placing a rule in the firewall to allow traffic from WAN to xxx.xxx.xxx.44 (the VIP) but I still can't connect to the server, is there any rule that I should add?  :-[

dotdash

@rexsrexs:

I can't make the CARP type VIP with subnet xxx.xxx.xxx.44/32 the pfbox will also complaint, it said

Sorry, we could not locate an interface with a matching subnet for 202.133.1.44/32. Please add an ip in this subnet on a real interface.

If you are using a CARP VIP, the subnet mask of the VIP should match the subnet mask of the Interface (/29 in your case). The 1-1 NAT should still be a /32 to match one internal and one external address.