Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi WAN, TO VM NAS with seperate Firewall

    Scheduled Pinned Locked Moved Routing and Multi WAN
    31 Posts 2 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      viragomann @jochenmehlich
      last edited by viragomann

      @jochenmehlich said in Multi WAN, TO VM NAS with seperate Firewall:

      One Problem could be, that the Ip of the PfSense VM has a completly other gateway as the from the others VM. Would it be fixed, if I setup a second NIC?

      You've set the virtual IPs with a /32 mask. Consider that the gateway must be within the subnet of the IPs, cause if you access one pfSense sends responses back with that source IP.

      So you got a second gateway from the provider for use with the additional IP as I understand? Have you already added this to pfSense?
      However, if it can work with the gateway outside the subnet depends on the GW configuration.

      1 Reply Last reply Reply Quote 0
      • J
        jochenmehlich
        last edited by jochenmehlich

        The main Reason why I'm setting this up, is because i want to have for each vm a seperate firewall.

        I hope it is not so critical to post now the public IPs, because it's very hard to check if every ip is censored. So i have following IPs.

        Projectserver
        IP: 144.76.93.247
        Gateway: 144.76.93.225
        Netmask: 255.255.255.224
        Broadcast: 144.76.93.255

        Publicserver
        IP: 144.76.93.245
        Gateway: 144.76.93.225
        Netmask: 255.255.255.224
        Broadcast: 144.76.93.255

        Safeserver:
        IP: 144.76.93.234
        Gateway: 144.76.93.225
        Netmask: 255.255.255.224
        Broadcast: 144.76.93.255

        PfSense:
        IP: 136.243.196.130
        Gateway: 136.243.196.129
        Netmask: 255.255.255.248
        Broadcast: 136.243.196.135

        So I have

        • a WAN-Interface (136.243.196.130)
        • a LAN-Interface (172.16.0.1)
        • a OPT1-Interface (144.76.93.247)

        All Traffic from the VMs and for the VMs should go through opt1.
        It's static with the gateway with the CDIR 27.

        Alias-IP
        virtual_ip.png

        Nat 1:1
        nat_1-1.png

        Firewalls:
        firewall_wan.png
        firewall_opt1.png
        firewall_lan.png

        Floating is empty.

        What did I wrong? Because i can reach the projectserver but not the safeserver.

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @jochenmehlich
          last edited by

          @jochenmehlich
          It's not really recommended to post the real public IPs here. The info that all except pfSense are in the same subnet with a separate gateway would be sufficient.

          Why did you set a destination in the 1:1 NAT for the Safeserver? The own public IP makes no sense at all.
          However, that won't be the problem, I think.

          Your firewall rules page shows the interfaces "Safeserver" and "Publicserver". Are the VMs really connected to separate interfaces on pfSense? That cannot work, at least not with the server IPs shown in the NAT rules.

          J 1 Reply Last reply Reply Quote 0
          • J
            jochenmehlich @viragomann
            last edited by

            @viragomann

            It's not really recommended to post the real public IPs here

            Ok, thanks for the information

            Why did you set a destination in the 1:1 NAT for the Safeserver?

            I think it would fix my problem.

            The own public IP makes no sense at all.

            How could I fix it, that every vm has it own public ip?

            Your firewall rules page shows the interfaces "Safeserver" and "Publicserver". Are the VMs really connected to separate interfaces on pfSense?

            No, they are not connected, that are the old interfaces (from beginning, but not plugged in (link down via ProxMox)

            That cannot work, at least not with the server IPs shown in the NAT rules.

            How can I do it?

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @jochenmehlich
              last edited by

              @jochenmehlich said in Multi WAN, TO VM NAS with seperate Firewall:

              Why did you set a destination in the 1:1 NAT for the Safeserver?

              I think it would fix my problem.

              The destination should be any if there are no special reasons for to set specific one.

              @jochenmehlich said in Multi WAN, TO VM NAS with seperate Firewall:

              How could I fix it, that every vm has it own public ip?

              The rest of the 1:1 NAT rule is fine. One external IP to one internal.

              @jochenmehlich said in Multi WAN, TO VM NAS with seperate Firewall:

              No, they are not connected, that are the old interfaces (from beginning, but not plugged in (link down via ProxMox)

              That cannot work, at least not with the server IPs shown in the NAT rules.

              How can I do it?

              Ok, if the server are both on LAN within the same subnet there is no problem.

              Test the access again with the corrected NAT rule.

              J 1 Reply Last reply Reply Quote 0
              • J
                jochenmehlich @viragomann
                last edited by

                @viragomann said in Multi WAN, TO VM NAS with seperate Firewall:

                The destination should be any if there are no special reasons for to set specific one.

                nat_2.png

                @viragomann said in Multi WAN, TO VM NAS with seperate Firewall:

                The rest of the 1:1 NAT rule is fine. One external IP to one internal.

                Okay :D

                @viragomann said in Multi WAN, TO VM NAS with seperate Firewall:

                Ok, if the server are both on LAN within the same subnet there is no problem.

                They should be.

                1 Reply Last reply Reply Quote 0
                • J
                  jochenmehlich
                  last edited by jochenmehlich

                  its not working. the vms can go out.
                  only project is reachable.

                  here is the virtual-ip configuration
                  virtual_ip1.png

                  and the interface
                  interface.png

                  Did i something wrong? Or should I ask my hoster, if any feature is missing?

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    Are you sure, the safeserver is responding to the access from the internet?

                    To investigate use the packet capture tool from the Diagnostic menu on pfSense.
                    Take a capture on LAN interface while trying to access the Safeserver from outside.
                    If you see nothing take a capture on OPT1 to check if the packets arrives pfSense.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jochenmehlich
                      last edited by

                      In OPT1 its showing the ping request

                      00:07:12.007358 IP 5.100.XXX.XXX > 144.76.93.234: ICMP echo request, id 6, seq 4, length 
                      

                      but there is nothing in lan

                      1 Reply Last reply Reply Quote 0
                      • J
                        jochenmehlich
                        last edited by

                        so i thing, something with the redirection is broke. (maybe the nat 1:1)?

                        1 Reply Last reply Reply Quote 0
                        • V
                          viragomann
                          last edited by

                          You have not allowed ping on OPT1. Your rules only allow http and https. So you cannot see a ping on LAN, cause pfSense blocks it.
                          So either test with http or allow ping.

                          1 Reply Last reply Reply Quote 0
                          • J
                            jochenmehlich
                            last edited by

                            firewall_rules_2.png
                            now it should be allowed

                            but there is no difference. No incoming ping in LAN and no incoming https.

                            1 Reply Last reply Reply Quote 0
                            • V
                              viragomann
                              last edited by

                              Strange. Yes, it should work.

                              What if you add a usual port forwarding rule to OPT1 instead of the 1:1 for that server?

                              1 Reply Last reply Reply Quote 0
                              • J
                                jochenmehlich
                                last edited by

                                nothing will pass.

                                no https response from the projectserver or the safeserver.

                                V 1 Reply Last reply Reply Quote 0
                                • J
                                  jochenmehlich
                                  last edited by

                                  is there any other method to make a firewall.
                                  it must not be efficient, it must only work.

                                  every vm must have its own rules and use its own public ip4 addresses.

                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann @jochenmehlich
                                    last edited by

                                    @jochenmehlich said in Multi WAN, TO VM NAS with seperate Firewall:

                                    nothing will pass.

                                    no https response from the projectserver or the safeserver.

                                    No idea. That is straight forward.
                                    I'd drop that installation and start from scratch.

                                    1 Reply Last reply Reply Quote 0
                                    • J
                                      jochenmehlich
                                      last edited by

                                      i think thats the best method.
                                      i will try it later - i have to sleep.

                                      could you explain me, what i have to do?

                                      1 Reply Last reply Reply Quote 0
                                      • V
                                        viragomann
                                        last edited by

                                        Just make a new installation of pfSense and configure it as you did before.
                                        Sometimes anything go wrong and you cannot find any reason.

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          jochenmehlich
                                          last edited by

                                          same issue like the installation from yesterday. Projectserver is reachable, Safeserver not ...

                                          rules_wan.png rules_opt1.png rules_lan.png nat_11.png firewall_virtual_ip.png

                                          1 Reply Last reply Reply Quote 0
                                          • V
                                            viragomann
                                            last edited by

                                            Did you exchange external and internal IPs now deliberately?

                                            Suspect saying to have no access to Saveserver as Saveserver was before 172.16.0.3 and now it's 172.16.0.2 (forwarded from 144.76.93.234).

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.