VIP & 1:1 NAT not working
-
So here is the layout in my home lab…
I have Charter business with a /29 (5 IPs). and the DG is 97.x.x.9/29
pFsense (v 2.1.2)
Cisco Managed Switch (all vlans are connected and can communicate with each other)
3x ESXi hosts (All servers are VM's on ESXi 5.5)IP1: 97.x.x.10 = VIP 1 (IP Alias) w/ 1:1 NAT //Used for RDS Gateway on vLAN2 (192.168.2.5)
IP2: 97.x.x.11 = AVAILABLE but not configured on pfsense.
IP3: 97.x.x.12 = VIP 2 (IP Alias) w/ 1:1 NAT //Used for VMware View Security Server on vLAN5 (192.168.5.21)
IP4: 97.x.x.13 = pFsense WAN Address
IP5: 97.x.x.14 = WAN for home network (not used with PFSense)I have my CM plugged directly into my PFSense (physical) WAN port (EM0) and the LAN (RE0) is Trunked to a Cisco Switch. Both RDS Gateway server and View Security servers are running on ESXi hosts connected via Virtual Distributed Switch.
=====================
Issue:I've configured the VIPs and 1:1 NATs and basically disabled the firewall by applying any/any rules (trouble shooting only).
The 2012R2 RDS server works fine when I goto google and look up my IP it returns 97.x.x.10 and I can hit it from an external Internet source. From the Server I can ping vLAN2 Gateway (192.168.2.254), VIP (97.x.x.10 & 12), Charter Gateway (97.x.x.9), and Google DNS (8.8.8.8)..
The View Sec box on the other hand is setup the exact same way as RDS VIP & NAT. However it does not resolve the internet. From the server I can ping vLAN5 Gateway (192.168.5.254) and VIPs (97.x.x.12 & 10). I'm unable to ping Charter Gateway (97.x.x.9) which is why I can also not ping Google DNS or resolve the internet.
I've beat up on this for over a week now and hoping the community at large can assist me..
Regards,
Ben Mitchell -
Cisco Managed Switch (all vlans are connected and can communicate with each other)
What does this mean?
-
I have 10 vLans configured from pfsense that are trunked to the Cisco switch. The switch is broken up into 4x trunked ports, 2x vLAN4 (DHCP/Workstations), 6x vLAN2 (Management\Core Services), 12x vLAN10 (iSCSI\Storage for Dell Equallogic Array and Starwind 2012R2 Server).
All my vlans can communicate with each of the other vlans whether via trunked ports to the hosts (accessed via virtual switches) or from physical ports from the Cisco switch.
-
And you have a pfSense interface on re0_vlan10 and a pfSense @BenMitchell1979:
I have 10 vLans configured from pfsense that are trunked to the Cisco switch. The switch is broken up into 4x trunked ports, 2x vLAN4 (DHCP/Workstations), 6x vLAN2 (Management\Core Services), 12x vLAN10 (iSCSI\Storage for Dell Equallogic Array and Starwind 2012R2 Server).
All my vlans can communicate with each of the other vlans whether via trunked ports to the hosts (accessed via virtual switches) or from physical ports from the Cisco switch.
I'm still confused. You say you have two VLANs configured on pfSense, yet you mention three VLANs that can all communicate with each other. What is routing them? (particularly vlan10 - or is vlan10 just for shared storage for ESX and vlans2 and 5 CAN'T really communicate with vlan10 directly???)
Can you draw it up on gliffy.com/visio/graffle? Don't need the whole thing or every detail just the basic Layer 2/3 stuff. Particularly for the guest you're having trouble with.
-
–[Cable Modem]–-[pfSense]–-[Cisco 2970 (layer 2 only)]
All routing is handled by pFsense and I allow all communication between all my internal vlans.
vlan (default gateway)
vLan2 (192.168.2.254) # Core services and Management network
vLan3 (192.168.3.254) # Unused (will be used for Citrix PVS/PXE boots (Large DHCP Scope)
vLan4 (192.168.4.254) # Workstations/Printers/Devices
vLan5 (192.168.5.254) # F5/Load Balance network
vLan6 (192.168.6.254) # One Off Lab testing
vLan7 (192.168.7.254) # Unused
vLan8 (192.168.8.254) # Unused
vLan9 (192.168.9.254) # Unused
vLan10 (192.168.10.254) # iSCSI storage trafficCurrently i have 3 Public IPs available for external testing. 2 of them are used for 2012R2 RemoteApp (RDSH Server) and the other I'm setting up for VMWare Horizon View 6 testing. The RDHS server is on vLAN2 (192.168.2.10 and 1:1NAT = 97.x.x.10 = https://remote.complete-geek.com (GoDaddy hosting FQDN and external DNS). The VMWare View Security Server (External facing piece) is setup on vLAN5 (I plan to put it behind a Virtual F5 once I get everything working). I've to the VIP and 1:1NAT setup exactly the same way on both Virtual Machines.
Both Virtual Machines are running from 1 of 2 Physical Dell R710 (running VMWare ESXi 5.5) connected to the Cisco 2970 via trunked ports to the Virtual Distributed Switch. Both VMs are the same host (part of my troubleshooting). From the View Security server I can ping devices on all my other vlans. For some reason though I can't seem to ping/reach the default gateway for my WAN connection (97.x.x.9). If I disable my 1:1 NAT in pfsense for the Security Server - it will start pinging the WAN DG again (but at that point I'm not hitting the VIP but my normal WAN address (97.x.x.13). So it would appear that when I apply my 1:1 NAT rule (97.x.x.12 == 192.168.5.21) the VMWare Security server stops being able to reach my WAN's DG and hence no internet. I'm attaching a screenshot of my VLAN, VIEW-NAT, RDS-NAT, and VIP overview
If that is still clear as mud :o - then I'll draw out a diagram of how everything is connected.
-
How come the RDS-VIP and VIEW-VIP are both .12?
Nevermind. Looks like two images both the same with different labels.
Personally, I would tag the traffic for CGNcore that's currently on re0. I wouldn't have any interface assigned to re0 (untagged).
I would also put the cable modem on re0 untagged and use em0 for all the heavy lifting.
-
I'm curious. Have you tried it without the VIPs defined? Sorry. I'm kind of guessing here. I only have one IP and it'll take a couple hours to mock this up.
ETA: Nevermind again. The "“Methods of Using Additional Public IPs" section makes it pretty clear that with the one WAN subnet you need the VIPs. With subnet routed to your WAN interface you don't.
I don't know. What you have looks like it should be working. Might be time for a packet capture on WAN, pinging .9 with 1:1 NAT both enabled and disabled, downloading into wireshark if necessary.
 -
After reading that section, I would use Proxy ARP VIPs in your situation, not IP Alias.
-
I had tried setting both to Proxy ARP previously with no luck. I end up with the same results.
I'll run some scans with wireshark and report back.
-
Wireshark logs didn't really help. When I try to connect to the interwebs - I don't ever see a src reply from google.
-
Okay - after some additional trouble-shooting it appears that the issue is with my ISP and not my firewall. I gave my laptop the 97.x.x.12 IP address and still could not hit the DG of 97.x.x.9/29. I then switched to using the 97.x.x.11/29 IP on the View server and was able to connect to the internet with out any issues. So looks like I have a call to Charter in my future.
Thanks for the help!!
-
Resurrecting this thread - was not Charter ISP after all. :-X
I've moved from a physical to a virtual (VMWare 5.5) pFSense 2.1.5 deployment and I'm still not able to get the 1:1 natting working properly. The biggest issue that I see is that when I enable the 1:1 NAT the guest loses the ability to ping my WAN Gateway. If I remove the 1:1 or disable it then that guest is again able to ping my WAN Gateway.. I have my firewall wide open (any/any) on all interfaces so I don't think it's a firewall rule causing this. Any ideas from the community would be great!.
SETUP:
3: Physical Interfaces (em0-em2)
-EM0 (WAN) 97.x.x.13/29 (Gateway 97.x.x.9/29)
-EM1 (all vlans from this) = EM1_vlan2 = 192.168.2.254 (tagged: vlan 2
-EM2 HomeNetwork 192.168.100.254/24 (Gateway 192.168.100.1/24)9 vLANS / Layer3 Gateways
CoreNetwork_v2 | 192.168.2.254
VM_Network_v3 | 192.168.3.254
VM_Network_v4 | 192.168.4.254
VM_Network_v5 | 192.168.5.254
VM_Network_v6 | 192.168.6.254
VM_Network_v7 | 192.168.7.254
VM_Network_v8 | 192.168.8.254
VM_Network_v9 | 192.168.9.254
SAN_Network_v10 | 192.168.10.254
