ordered second ip from ovh using pfsense
-
hi, newbie here.
I have ordered a dedicated server with OVH with ESXi 6.5
I created a pfSense VM with two NIC.
OVH gave me an IP address of 192.95.40.214 which i was able to successfully NAT to my second VM (apache)
I have just ordered another IP address from OVH (157.114.210.0) but I am not able to add this to pfSense and NAT to provide another apache service.
Any assistance/suggestion is greatly appreciated.
Thanks...
-
You are not able to add the second IP as a VIP to pfSense? If you can add it but cannot then ping out from that IP?
OVH does things in their own special way! They may require a second MAC address for that IP for example.
Steve
-
hi Steve. Thanks for the reply.
Yes, I have created an OVH mac address and to the new IP address and I was able to add it to pfSense's WAN address as a VIP.
I supposed then I need to create separate gateways? I saw an OVH video saying to set the gateway to xxx.yyy.zzz.254 (in my examples, 192.95.40.214 -> 192.95.40.254 and 157.114.210.0 -> 157.114.210.254).
However, when I set up my first IP (192.95.40.214), there's no gateway setup, but I have no problem with the traffic. When I tried to ping the suggested gateway 192.95.40.254, I got 100% pack lost, so I am afraid to make changes to it (it's got a live service right now.)
Do I have an incomplete setup that happens to work because I only had one IP address before? Do I (https://imgur.com/a/3AEtzTa), in WAN settings, fill out the MAC address and create a new gateway (with 192.95.40.254) and hope for the best? What happens if my network dies? Would OVH support be able to help me get back in?
Oh wait, the way that I get to my ESXi host is through nsxxxxxx.ip-51.yy.zz.net, from there, that's how I get to my pfSense interface. If traffic through pfSense dies, my connection to ESXi doesn't die, does it?!
Sorry, gotta make sure the current service doesn't die...
-
Indeed you should always have access to the host so you can access the pfSense console and roll back any changes.
Another odd thing OVH does is use a gateway that is outside the WAN subnet on a non-point-to-point connection. Normally pfSense does not allow that as it's non-standard but it is possible to force it:
https://docs.netgate.com/pfsense/en/latest/book/routing/gateway-settings.html#use-non-local-gatewayI would expect both IPs to use the same gateway, since I assume it's outside both WAN subnets.
You don't need to have the gateway defined on the interface but if you do not then automatic outbound NAT will not be applied.
As long as you have a gateway defined and set as default you should have connectivity.Steve
-
Hi Steve.
Well, I went to the (default) WAN and try to add a new gateway, but it tells me "The gateway address 192.95.40.254 does not lie within one of the chosen interface's subnets."
The only reason that I can see it was rejected was because the WAN interface has the static IPv4 address (192.95.40.214) with a "/32" network.
I changed it to "/24" and voila! it took my first gateway!
BUT, you said you suspect both IPs use the same gateway, so even though my network is still up, I suppose it's not the correct gateway. Where would I find this gateway?
-
Right, you have to set 'non-local gateway' as shown in the link above if you want to use a gateway outside the subnet. That is because it is not allowed by the standards for anything except a point-to-point connection. For whatever reason OVH ignore that standard and just do it anyway.
What gateway are they telling you to use there?Steve
-
OK, I've managed to create two gateways, one with "non-local gateway" checked.
I was following this video (https://docs.ovh.com/gb/en/dedicated/network-bridging/), which tells me my gateway is my IP address, replacing the last octet to 254.
At this point, I think I need to route the VIP traffic. I went back to VIP setting, and the only way that I can change the network to /24 is to change the type from "IP Alias" to "Other." But nevertheless, I can't find the option for gateway.
Thanks, as always, for your help. I am grateful.
-
The system only has one default route and it's via the first gateway. To use the second gateway you would need to policy route traffic to it whit at the same time oubound NATing that traffic to the new WAN VIP.
So that's a rule on LAN to policy route and an outbound NAT rule matching the same outgoing connections.Incoming traffic will be more difficult though since it's not separate interface. You will not get reply-to states so reply traffic will go back via the default route.
Maybe you can add that IP via a separate interface in ESXi? That would work around it.
In all honesty I would simply move to hosting solution that obeys the standards and avoid all this hassle. YMMV!
Steve
-
I'd agree OVH is more trouble than is normal.
Do you have a recommendation for a Canadian VPS that is comparable to OVH (besides the network configuration, of course) ??
-
Not personally but there may be others who can.
You should be able to get it working in OVH though.
Steve