Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VIP & 1:1 NAT not working

    HA/CARP/VIPs
    2
    12
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      Cisco Managed Switch (all vlans are connected and can communicate with each other)

      What does this mean?

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • B
        BenMitchell1979
        last edited by

        I have 10 vLans configured from pfsense that are trunked to the Cisco switch. The switch is broken up into 4x trunked ports, 2x vLAN4 (DHCP/Workstations), 6x vLAN2 (Management\Core Services),  12x vLAN10 (iSCSI\Storage for Dell Equallogic Array and Starwind 2012R2 Server).

        All my vlans can communicate with each of the other vlans whether via trunked ports to the hosts (accessed via virtual switches) or from physical ports from the Cisco switch.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          And you have a pfSense interface on re0_vlan10 and a pfSense @BenMitchell1979:

          I have 10 vLans configured from pfsense that are trunked to the Cisco switch. The switch is broken up into 4x trunked ports, 2x vLAN4 (DHCP/Workstations), 6x vLAN2 (Management\Core Services),  12x vLAN10 (iSCSI\Storage for Dell Equallogic Array and Starwind 2012R2 Server).

          All my vlans can communicate with each of the other vlans whether via trunked ports to the hosts (accessed via virtual switches) or from physical ports from the Cisco switch.

          I'm still confused.  You say you have two VLANs configured on pfSense, yet you mention three VLANs that can all communicate with each other.  What is routing them? (particularly vlan10 - or is vlan10 just for shared storage for ESX and vlans2 and 5 CAN'T really communicate with vlan10 directly???)

          Can you draw it up on gliffy.com/visio/graffle?  Don't need the whole thing or every detail just the basic Layer 2/3 stuff.  Particularly for the guest you're having trouble with.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • B
            BenMitchell1979
            last edited by

            –[Cable Modem]–-[pfSense]–-[Cisco 2970 (layer 2 only)]

            All routing is handled by pFsense and I allow all communication between all my internal vlans.
            vlan (default gateway)
            vLan2 (192.168.2.254)  # Core services and Management network
            vLan3 (192.168.3.254)  # Unused (will be used for Citrix PVS/PXE boots (Large DHCP Scope)
            vLan4 (192.168.4.254)  # Workstations/Printers/Devices
            vLan5 (192.168.5.254)  # F5/Load Balance network
            vLan6 (192.168.6.254)  # One Off Lab testing
            vLan7 (192.168.7.254)  # Unused
            vLan8 (192.168.8.254)  # Unused
            vLan9 (192.168.9.254)  # Unused
            vLan10 (192.168.10.254)  # iSCSI storage traffic

            Currently i have 3 Public IPs available for external testing. 2 of them are used for 2012R2 RemoteApp (RDSH Server) and the other I'm setting up for VMWare Horizon View 6 testing. The RDHS server is on vLAN2 (192.168.2.10 and 1:1NAT = 97.x.x.10 = https://remote.complete-geek.com (GoDaddy hosting FQDN and external DNS). The VMWare View Security Server (External facing piece) is setup on vLAN5 (I plan to put it behind a Virtual F5 once I get everything working). I've to the VIP and 1:1NAT setup exactly the same way on both Virtual Machines.

            Both Virtual Machines are running from 1 of 2 Physical Dell R710 (running VMWare ESXi 5.5) connected to the Cisco 2970 via trunked ports to the Virtual Distributed Switch. Both VMs are the same host (part of my troubleshooting). From the View Security server I can ping devices on all my other vlans. For some reason though I can't seem to ping/reach the default gateway for my WAN connection (97.x.x.9). If I disable my 1:1 NAT in pfsense for the Security Server - it will start pinging the WAN DG again (but at that point I'm not hitting the VIP but my normal WAN address (97.x.x.13). So it would appear that when I apply my 1:1 NAT rule (97.x.x.12 == 192.168.5.21) the VMWare Security server stops being able to reach my WAN's DG and hence no internet. I'm attaching a screenshot of my VLAN, VIEW-NAT, RDS-NAT, and VIP overview

            If that is still clear as mud :o -  then I'll draw out a diagram of how everything is connected.

            vlans.jpg
            vlans.jpg_thumb
            RDS-VIP.jpg
            RDS-VIP.jpg_thumb
            RDS-NAT.jpg
            RDS-NAT.jpg_thumb
            VIEW-NAT.jpg
            VIEW-NAT.jpg_thumb
            VIEW-VIP.jpg
            VIEW-VIP.jpg_thumb

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              How come the RDS-VIP and VIEW-VIP are both .12?

              Nevermind.  Looks like two images both the same with different labels.

              Personally, I would tag the traffic for CGNcore that's currently on re0.  I wouldn't have any interface assigned to re0 (untagged).

              I would also put the cable modem on re0 untagged and use em0 for all the heavy lifting.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I'm curious.  Have you tried it without the VIPs defined?  Sorry.  I'm kind of guessing here.  I only have one IP and it'll take a couple hours to mock this up.

                ETA: Nevermind again.  The "“Methods of Using Additional Public IPs" section makes it pretty clear that with the one WAN subnet you need the VIPs.  With subnet routed to your WAN interface you don't.

                I don't know.  What you have looks like it should be working.  Might be time for a packet capture on WAN, pinging .9 with 1:1 NAT both enabled and disabled, downloading into wireshark if necessary.

                ![Screen Shot 2014-09-13 at 3.06.23 PM.png](/public/imported_attachments/1/Screen Shot 2014-09-13 at 3.06.23 PM.png)
                ![Screen Shot 2014-09-13 at 3.06.23 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-09-13 at 3.06.23 PM.png_thumb)

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  After reading that section, I would use Proxy ARP VIPs in your situation, not IP Alias.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • B
                    BenMitchell1979
                    last edited by

                    I had tried setting both to Proxy ARP previously with no luck. I end up with the same results.

                    I'll run some scans with wireshark and report back.

                    1 Reply Last reply Reply Quote 0
                    • B
                      BenMitchell1979
                      last edited by

                      Wireshark logs didn't really help. When I try to connect to the interwebs - I don't ever see a src reply from google.

                      WS-Capture.jpg
                      WS-Capture.jpg_thumb

                      1 Reply Last reply Reply Quote 0
                      • B
                        BenMitchell1979
                        last edited by

                        Okay - after some additional trouble-shooting it appears that the issue is with my ISP and not my firewall. I gave my laptop the 97.x.x.12 IP address and still could not hit the DG of 97.x.x.9/29. I then switched to using the 97.x.x.11/29 IP on the View server and was able to connect to the internet with out any issues. So looks like I have a call to Charter in my future.

                        Thanks for the help!!

                        1 Reply Last reply Reply Quote 0
                        • B
                          BenMitchell1979
                          last edited by

                          Resurrecting this thread - was not Charter ISP after all. :-X

                          I've moved from a physical to a virtual (VMWare 5.5) pFSense 2.1.5 deployment and I'm still not able to get the 1:1 natting working properly. The biggest issue that I see is that when I enable the 1:1 NAT the guest loses the ability to ping my WAN Gateway. If I remove the 1:1 or disable it then that guest is again able to ping my WAN Gateway.. I have my firewall wide open (any/any) on all interfaces so I don't think it's a firewall rule causing this. Any ideas from the community would be great!.

                          SETUP:
                          3: Physical Interfaces (em0-em2)
                          -EM0 (WAN) 97.x.x.13/29 (Gateway 97.x.x.9/29)
                          -EM1 (all vlans from this) = EM1_vlan2 = 192.168.2.254 (tagged: vlan 2
                          -EM2 HomeNetwork 192.168.100.254/24 (Gateway 192.168.100.1/24)

                          9 vLANS / Layer3 Gateways
                          CoreNetwork_v2    | 192.168.2.254
                          VM_Network_v3    | 192.168.3.254
                          VM_Network_v4    | 192.168.4.254
                          VM_Network_v5    | 192.168.5.254
                          VM_Network_v6    | 192.168.6.254
                          VM_Network_v7    | 192.168.7.254
                          VM_Network_v8    | 192.168.8.254
                          VM_Network_v9    | 192.168.9.254
                          SAN_Network_v10 | 192.168.10.254

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.