Multiple WAN IPs, NATing to DMZ servers

  • I have searched the forums, and I can't come up with an answer that works for my situation, so I'll post and see if anyone has any ideas.

    I have a /28 subnet from my ISP (x.x.112.48-63).  Internal LAN (we use it as our DMZ) is set as normal  We have an OPT interface that we use for our Internet filter.

    I want to take IP 112.51 and map it to internal 1.62 - it's just a web server.  The way I understand this should work is I set up a Virtual IP (Single host, ProxyARP) on that address.  I then create either a port forward rule or a 1:1 NAT rule for that.  Ensure that there are rules in the WAN filter to allow traffic to that IP.

    So I did that, and no dice.  I've tried just about every combination I can think of.  I've tried port forwarding vs. 1:1.  I've tried ProxyARP vs. Other.  I've tried all traffic to every IP address in the path (112.51, 1.62, even 1.254 as a last resort), all to no avail.  As a last ditch effort, I allowed all traffic anywhere to any IP.  Bad idea, I know, but I had to see if it was the firewall rules.  I can't ping, I can't get to the website, nothing.  It almost seems as though the VIP doesn't get created.

    I hope someone has some bright suggestions. I really need to get this working ASAP, and I might have to switch to a different product, and I really like pfSense.  Thanks!

  • Instead of proxy ARP use CARP if you haven't yet.
    Also for the testing allow ALL on your firewall rules. :-)
    You could use tcpdump -i iterfacename -n from console to see what's up with your packets. That might give you an additional clue. Your setup isn't complicated et all. I have had no problems setting it up many times.

  • Hi,

    I have a simpler setup with just WAN and LAN.  The WAN has 5 static IPs.  I wanted to forward the ports to the servers internally.  The primary IP assigned responded very fast.  But the other VIP have very slow response.  To make a valid test, I forwarded the http port of each static IP to an internal IP of the same internal server (with differnet LAN IP respectively) using virtual host, serving the same exact content.  I've tried using VIP as CARP, PARP, and other.  All have performance issue on the VIPs.  Does any one know the causes to this?


    BTW:  I'm using pfsense version 1.2.1 RC2. I have 0 In/Out errors on status > NICs.

Log in to reply