LAN blocking a Virtual IP on WAN?

doktornotor

I am asking to post a SCREENSHOT. Using the setting shown above, you will actually find the logs useful at a glance.

pdrass

I didn't really want to post a screen shot but whatever.

Here it is.

Thanks!

pdrass

See how the LAN and WAN are all screwed up?

The LAN shows a public IP as the source and the WAN shows a private IP as the source.

doktornotor

Post screenshots of

• Interfaces - Assign
• Firewall - Virtual IPs
• Your 1:1 NAT/port forwards setup

pdrass

See attached.

My PFSense:  192.168.0.253 (lan address)

My Linux Host's route table:

root@mail:/etc/network# route
Kernel IP routing table
Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
default        192.168.0.253  0.0.0.0        UG    0      0        0 eth0
192.168.0.0    *              255.255.255.0  U    0      0        0 eth0

Any other device on the network that doesn't have a virtual IP (because there is only 1 of course) can get out just fine and everything is normal.  It's only this one 192.168.0.15 host that has the virtual IP setup.

I'm so stumped!


KOM

I didn't really want to post a screen shot but whatever.

They are pretty much mandatory if you want assistance.  Too many people will describe what they think they did, as opposed to what they actually did, or will present the data in an unreadable format.  Screenshots don't lie.  Feel free to black out your WAN IP address.

pdrass

That's understandable and why I posted them…if you need help; beggars can't be choosers :-)

pdrass

So…no matter what I do I always get this:

The rule that triggered this action is:

@55(1000001570) block drop in log on ! bge0 inet from 173.162.48.240/29 to any

This is frustrating to say the least.  I've deleted all the rules, vip's, arp cache, etc and reset everything back up but I get the same damn result.  This isn't how it was working yesterday!  I don't understand what the heck has happened and on top of that my other site that has more vip's than this one is working perfectly and is setup the same way.

The only odd thing is that from the client machine I can't ping out, not even over the VPN - I can ping on the LAN but not over the WAN or VPN.

This is just unbelievable and there seems to be no reason although the box thinks there is a reason!  If snort would block something the log files usually say <snort>, same with pfblockerNG it would show up in the log as such.

I'm am ready to dial up pay for support on this!!!</snort>

KOM

Are you running pfBlocker or Snort by any chance?

pdrass

OMG you know what it was?

This is unbelievable!!!

I had the cable provider soft reboot the router since I wasn't on site.  In an act of desperation I called a guy to walk over to the cable modem > pull power > plug power back in and boom, it started working again.

I assume then that arp got all messed up somehow and it was reset on that cable modem device.

Just unbelievable.

doktornotor

Well, I just wanted to suggest to check that you have not swapped the cables by accident. :P

BBcan177

@pdrass:

I have a WAN address, everything is working great.  I added a virtual IP onto the PFSense of a server that used to have a WAN address from our ISP

I have a similar setup with a VIP for my second WAN…

I see in your screenshot that you have /32 for the VIP CIDR... That CIDR should match the CIDR of the WAN network... See the help text on the VIP page....