• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Multiple WAN IPs, NATing to DMZ servers

HA/CARP/VIPs
3
3
4.9k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    wlentz102
    last edited by Sep 13, 2008, 8:35 PM

    I have searched the forums, and I can't come up with an answer that works for my situation, so I'll post and see if anyone has any ideas.

    I have a /28 subnet from my ISP (x.x.112.48-63).  Internal LAN (we use it as our DMZ) is set as normal 192.168.1.254.  We have an OPT interface that we use for our Internet filter.

    I want to take IP 112.51 and map it to internal 1.62 - it's just a web server.  The way I understand this should work is I set up a Virtual IP (Single host, ProxyARP) on that address.  I then create either a port forward rule or a 1:1 NAT rule for that.  Ensure that there are rules in the WAN filter to allow traffic to that IP.

    So I did that, and no dice.  I've tried just about every combination I can think of.  I've tried port forwarding vs. 1:1.  I've tried ProxyARP vs. Other.  I've tried all traffic to every IP address in the path (112.51, 1.62, even 1.254 as a last resort), all to no avail.  As a last ditch effort, I allowed all traffic anywhere to any IP.  Bad idea, I know, but I had to see if it was the firewall rules.  I can't ping, I can't get to the website, nothing.  It almost seems as though the VIP doesn't get created.

    I hope someone has some bright suggestions. I really need to get this working ASAP, and I might have to switch to a different product, and I really like pfSense.  Thanks!

    1 Reply Last reply Reply Quote 0
    • H
      hexa
      last edited by Nov 28, 2008, 12:25 PM

      Instead of proxy ARP use CARP if you haven't yet.
      Also for the testing allow ALL on your firewall rules. :-)
      You could use tcpdump -i iterfacename -n from console to see what's up with your packets. That might give you an additional clue. Your setup isn't complicated et all. I have had no problems setting it up many times.

      1 Reply Last reply Reply Quote 0
      • T
        tommyhp2
        last edited by Dec 3, 2008, 9:06 AM

        Hi,

        I have a simpler setup with just WAN and LAN.  The WAN has 5 static IPs.  I wanted to forward the ports to the servers internally.  The primary IP assigned responded very fast.  But the other VIP have very slow response.  To make a valid test, I forwarded the http port of each static IP to an internal IP of the same internal server (with differnet LAN IP respectively) using virtual host, serving the same exact content.  I've tried using VIP as CARP, PARP, and other.  All have performance issue on the VIPs.  Does any one know the causes to this?

        Thanks,
        Tommy

        BTW:  I'm using pfsense version 1.2.1 RC2. I have 0 In/Out errors on status > NICs.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.