Virtual IP with manual Outbound NAT = No internet



  • To start off with, here is a simple view of my network:

    I set up XXX.XXX.XXX.122 as my WAN IP and it is working fine on both the public and private LAN.
    What I would like to accomplish is for all traffic from the public LAN to go over XXX.XXX.XXX.123

    I have tried setting my up a virtual IP address as alias, CARP, and Proxy ARP with no success. No matter which I choose, I can ping the IP when it is set up, so I don't believe this is where the problem lies.

    I changed Outbound NAT to Manual and then edited the automatic rules for the Public lan as follows and moved them to the top of the list:

    When I do this, internet works fine on my private LAN, but I lose internet completely on the public LAN.
    I did read that it may have something to do with port forwarding, but I am stuck at this point. Any help would be greatly appreciated.



  • Why not just add your second public IP address as another gateway (since that's what you're using it as), and then use firewall rules to direct the traffic out the specified gateway?



  • I hadn't thought of that, but it would be much easier. I set up the .123 address as a gateway and then changed the "Allow to Any" rule on the Public LAN and specified the new gateway. I tested from a workstation connected to the Public LAN, and it does have internet, but whatismyip.com, and other similar sites, are reporting the .122 address for some reason. Is there anything else I would need to do to force traffic over that gateway? The only other rules I have on the Public LAN are a few that let me access specific machines on the private LAN, followed by a rule that denies access to the rest of the private LAN.



  • Did you specify that all Public LAN traffic uses the second gateway, under the rule's Display Advanced options?



  • I specified the gateway under the default allow all rule. I did not specify it under all of the rules. Here is what I have:

    The top 2 rules allow access to workstations on the private LAN. I just realized when I looked at it that my 4th rule may be redundant.



  • Your 4th rule is irrelevant since inter-LAN traffic never hits the router.

    Can you post updated screenshot of your outbound NAT?



  • I have my outbound NAT set back to automatic. Since I don't have a virtual IP set up any more, the rules had reverted back to default anyway.



  • It's starting to get confusing now.  Do you still have .123 defined as a second WAN?  Do you have rule(s) that direct traffic to one WAN versus another?  If your outbound NAT is set to Auto, then you should have more than the default NAT rules there.



  • Here is what I have done and where we are at:

    1. I removed the .123 address as a virtual IP.
    2. I set Outbound NAT back to Auto.
    3. I created a new gateway with the .123 address called NTS_FIBER_PUBLIC.
    4. I edited the "Allow to any" firewall rule under the Public LAN and specified the new .123 gateway.

    So in effect I reverted everything back to before I started trying to get the second IP to work, then made the changes we have discussed.



  • OK, I misspoke and confused things when I referred to it as another "gateway".  You only have the one gateway via the one ISP.  Mr brain hurts on Mondays…

    Create a virtual IP - IP Alias for your .123 address.  Then you should be able to change your Outbound NAT to Hybrid and add a rule:

    WAN  192.168.10.0/24  *  *  *  a.b.c.123  *  Randomize



  • OK, I removed all the gateway stuff and created a virtual IP again.
    I am starting to believe that my virtual IP simply isn't coming up, as in it's never registering with my ISP.
    I tried to create a simple rule to pass ICMP through and cannot ping from outside my network. If I change it to my WAN address, I can ping no problem.


  • Netgate

    Create the virtual IP address on WAN. I would use type IP Alias to start.

    In Diagnostics > Ping, ping your ISP gateway address. For source address, select the VIP.

    If that does not work, call your ISP.

    If it does work, do the same thing to 8.8.8.8 or something.

    If that works it should all work fine and you can move to your outbound NAT config.



  • Thanks for the tip! I was trying to find an easy way to verify that my virtual IP was actually working. It's not.
    I will call my ISP and see if they can help me out.

    Thank you both for your time.