2x pfSense x 2x WANs + 1 Web Server = 3x OK + 1x Fail
-
Hi!
I have 2x pfSense 2.1 RC0 firewall servers (FW1,FW2) with 2x WAN NICs on each of them.
On each firewall the first WAN NIC have external IP (IP1.1,IP1.2), the second WAN NIC have internal IP (10.1.x.x) and ISP binds external IP (IP2.1,IP2.2) to these internal IPs.
These servers are using CARP for sync and have VIPs for WANs and VIP for LAN (as GW for a WebServer).
Then I have a web server (behind firewall) that uses LAN VIP as GW IP.
Firewall have rules to allow ping from any source to firewall and NAT from any source via HTTP to WebServer's HTTP.Here is the problem:
When I'm trying to reach WebServer (HTTP) from Internet via IP1.1 or IP1.2 - everything is OK.
When I'm trying to reach WebServer (HTTP) from Internet via IP2.1 - everything is OK if first pfSense (FW1) is a master (LAN VIP @ FW1, used as GW by WebServer) and second (FW2) is a backup. In this case WebServer is unreachable via IP2.2, but ping/trace to IP2.2 is OK.What the trick? Why IP1.1 and IP1.2 are OK without any difference who's master, but it does matter when I use NAT for IP2.1 and IP2.2 (and doesn't matter if I'm not using NAT - ping/trace)?
-
Are you NATting with the VIP not the default NAT rules?