Ping VIP Used In 1:1 NAT
-
Hello,
I am testing out pfSense to replace the firewall I built with Ubuntu and Shoreline and have hit a few snags and have solved all but 1 myself.
I have 5 public IP's which I setup 1 as WAN and the other 4 as Virtual IP's on the WAN using CARP and different VHID's per IP - I don't need any fail-over.
I have the 4 VIP's setup with 1:1 NAT to my servers and all the Port forwarding is working great so I know things are working. When I add an ICMP rule to WAN directly I can ping my first IP no problem. When I try and ping any of the VIP's I get no response even though I have the exact same type of ICMP rule on those VIP's just like the WAN.
Now, when I take the 1:1 away from those VIP's the ping works. This doesn't make any sense to me.
Anyone know what may be wrong? To summarize, I can ping my VIP's if I don't have 1:1 NAT enabled but when I configure the VIP's for 1:1 NAT the ping no longer works.
Thanks.
-
When you use a 1-1, the machine replies to the ping instead of the firewall. You need to have a rule allowing ICMP to the machine (the private IP).
-
I see.
This isn't very intuitive.
It may be worth investigating adding ICMP as a protocol option in your Port Forward page so that it creates these rules for you. A text tidbit may be good also on 1:1 NAT tab that indicates how 1:1 works and how to handle things like ICMP.
Thanks for you help.
-
It is intuitive.
If you 1:1 NAT someting then your forward EVERYTHING (thus 1:1).And adding firewall options to the NAT options is a very bad idea.
–> Keep firewall rules and NAT rules apart.
This is one of the big plusses of pfSense.
