1:1 Just not working



  • I've set up 1:1 as per these two screens, but seem to have done something wrong.

    The outside world can't see the 192.168.75.8 machine and when the 192.168.75.8 machine tries to access the internet, it appears as the firewall's WAN IP address - when it should appear on the VIP address.

    Could somebody please explain to me where I've gone wrong?

    I'm attaching a dump of the "interfaces" page. As you can see, I am using a separate IP address for the WAN port.

    Thank you.







  • You've missconfigured the CARP-VIP.
    Read the note next to it.
    The /32 you've set is the actual subnetmask and should probably be /29.

    I'm not sure if this is the only problem, but this is what i immediately see.



  • Thank you for the reply.

    I changed the subnet to /29, but now have this error message in the system log:

    kernel: arp_rtrequest: bad gateway 41.208.25.86 (!AF_LINK)

    The network is xx.xxx.xx.80/29
    The router is supplied by the IAP with the gateway for the other IP addresses set to .81
    A wireless access point is .82
    Another wireless access point is .83
    The outside port of pfSense is .84
    I want .85 and .86 to be on the LAN side of the firewall.



  • My recommendation would be to use Proxy-ARP instead of CARP.  Unless you have a specific need for CARP, just change the TYPE to "Proxy ARP."

    All you will need is the ip address, which in your case is 41.208.25.86

    Give it a shot and good luck!



  • OK, So I started afresh and made one Proxy ARP VIP.

    I then set up a 1:1 rule for all traffic to and from .86 to go to 192.168.75.8.

    But, still nothing's working.

    When I go to network-tools.com it still shows the ip address as being from the firewall (.84) and when I try to telnet into port 25 of the machine from outside of our network it still goes to the firewall instead of being routed to the machine.

    I've obviously missed something, but I don't know what.

    Do I need to reboot the firewall for the changes to take effect?
    Do I need to add any other rules anywhere for the changes to work?



  • I had the same problem and went through a bunch of trial and error and here is what I did.
    made pdf screenshots of it so I could remember what I did-lol.

    Set your cidr to /32 not /29.  You are trying to map a single address and as the notes say:The subnet size specified for the external subnet also applies to the internal subnet (they have to be the same).

    The cidr specified in for the wan apparently does not matter here as I used /32 to get it to work and my wan is /25.

    Hope this helps!
    Tom

    ![apgm.apghost.com - 1 to 1 nat edit.png](/public/imported_attachments/1/apgm.apghost.com - 1 to 1 nat edit.png)
    ![apgm.apghost.com - 1 to 1 nat edit.png_thumb](/public/imported_attachments/1/apgm.apghost.com - 1 to 1 nat edit.png_thumb)
    ![apgm.apghost.com - Firewall...png](/public/imported_attachments/1/apgm.apghost.com - Firewall…png)
    ![apgm.apghost.com - Firewall...png_thumb](/public/imported_attachments/1/apgm.apghost.com - Firewall...png_thumb)



  • Thanks guys.

    Here is what I've done, but no prizes for guessing: It still doesn't work.

    I've used an unassigned IP address 41.208.25.85 and routed it to 192.168.75.5

    The world still sees 192.168.75.5 as being 41.208.25.84 (the "proper" ip address of the pfSense box) instead of the VIP of 41.208.25.85
    When I try to telnet to port 25 on 192.168.75.5 (which is running a working mail server) I get to the pfSense box instead of the other machine.

    On paper it's all right. I wish I knew what I'm doing wrong.

    From what it's worth, I'm using 192.168.75.12 as the test IP address.

    pfSense has four NICs

    WAN is 41.208.75.84 and VIP 41.208.75.85
    LAN is 192.168.75.254
    WLAN1 is 192.168.76.254
    WLAN2 is 192.168.77.254

    I'm getting flak from management and would appreciate help in resolving this rather irritating problem.






  • Try rebooting the external router after you have added the proxy arp vip. Some routers have a nasty habit of keeping an arp cache that won't clear without a reboot (or waiting couple of hours) and will prevent the vips from working.


Log in to reply