Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual IP with manual Outbound NAT = No internet

    Scheduled Pinned Locked Moved NAT
    13 Posts 3 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adiadasman
      last edited by

      To start off with, here is a simple view of my network:

      I set up XXX.XXX.XXX.122 as my WAN IP and it is working fine on both the public and private LAN.
      What I would like to accomplish is for all traffic from the public LAN to go over XXX.XXX.XXX.123

      I have tried setting my up a virtual IP address as alias, CARP, and Proxy ARP with no success. No matter which I choose, I can ping the IP when it is set up, so I don't believe this is where the problem lies.

      I changed Outbound NAT to Manual and then edited the automatic rules for the Public lan as follows and moved them to the top of the list:

      When I do this, internet works fine on my private LAN, but I lose internet completely on the public LAN.
      I did read that it may have something to do with port forwarding, but I am stuck at this point. Any help would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Why not just add your second public IP address as another gateway (since that's what you're using it as), and then use firewall rules to direct the traffic out the specified gateway?

        1 Reply Last reply Reply Quote 0
        • A
          adiadasman
          last edited by

          I hadn't thought of that, but it would be much easier. I set up the .123 address as a gateway and then changed the "Allow to Any" rule on the Public LAN and specified the new gateway. I tested from a workstation connected to the Public LAN, and it does have internet, but whatismyip.com, and other similar sites, are reporting the .122 address for some reason. Is there anything else I would need to do to force traffic over that gateway? The only other rules I have on the Public LAN are a few that let me access specific machines on the private LAN, followed by a rule that denies access to the rest of the private LAN.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            Did you specify that all Public LAN traffic uses the second gateway, under the rule's Display Advanced options?

            1 Reply Last reply Reply Quote 0
            • A
              adiadasman
              last edited by

              I specified the gateway under the default allow all rule. I did not specify it under all of the rules. Here is what I have:

              The top 2 rules allow access to workstations on the private LAN. I just realized when I looked at it that my 4th rule may be redundant.

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Your 4th rule is irrelevant since inter-LAN traffic never hits the router.

                Can you post updated screenshot of your outbound NAT?

                1 Reply Last reply Reply Quote 0
                • A
                  adiadasman
                  last edited by

                  I have my outbound NAT set back to automatic. Since I don't have a virtual IP set up any more, the rules had reverted back to default anyway.

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    It's starting to get confusing now.  Do you still have .123 defined as a second WAN?  Do you have rule(s) that direct traffic to one WAN versus another?  If your outbound NAT is set to Auto, then you should have more than the default NAT rules there.

                    1 Reply Last reply Reply Quote 0
                    • A
                      adiadasman
                      last edited by

                      Here is what I have done and where we are at:

                      1. I removed the .123 address as a virtual IP.
                      2. I set Outbound NAT back to Auto.
                      3. I created a new gateway with the .123 address called NTS_FIBER_PUBLIC.
                      4. I edited the "Allow to any" firewall rule under the Public LAN and specified the new .123 gateway.

                      So in effect I reverted everything back to before I started trying to get the second IP to work, then made the changes we have discussed.

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        OK, I misspoke and confused things when I referred to it as another "gateway".  You only have the one gateway via the one ISP.  Mr brain hurts on Mondays…

                        Create a virtual IP - IP Alias for your .123 address.  Then you should be able to change your Outbound NAT to Hybrid and add a rule:

                        WAN  192.168.10.0/24  *  *  *  a.b.c.123  *  Randomize

                        1 Reply Last reply Reply Quote 0
                        • A
                          adiadasman
                          last edited by

                          OK, I removed all the gateway stuff and created a virtual IP again.
                          I am starting to believe that my virtual IP simply isn't coming up, as in it's never registering with my ISP.
                          I tried to create a simple rule to pass ICMP through and cannot ping from outside my network. If I change it to my WAN address, I can ping no problem.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            Create the virtual IP address on WAN. I would use type IP Alias to start.

                            In Diagnostics > Ping, ping your ISP gateway address. For source address, select the VIP.

                            If that does not work, call your ISP.

                            If it does work, do the same thing to 8.8.8.8 or something.

                            If that works it should all work fine and you can move to your outbound NAT config.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • A
                              adiadasman
                              last edited by

                              Thanks for the tip! I was trying to find an easy way to verify that my virtual IP was actually working. It's not.
                              I will call my ISP and see if they can help me out.

                              Thank you both for your time.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.