Ping VIP Used In 1:1 NAT

  • Hello,

    I am testing out pfSense to replace the firewall I built with Ubuntu and Shoreline and have hit a few snags and have solved all but 1 myself.

    I have 5 public IP's which I setup 1 as WAN and the other 4 as Virtual IP's on the WAN using CARP and different VHID's per IP - I don't need any fail-over.

    I have the 4 VIP's setup with 1:1 NAT to my servers and all the Port forwarding is working great so I know things are working. When I add an ICMP rule to WAN directly I can ping my first IP no problem. When I try and ping any of the VIP's I get no response even though I have the exact same type of ICMP rule on those VIP's just like the WAN.

    Now, when I take the 1:1 away from those VIP's the ping works. This doesn't make any sense to me.

    Anyone know what may be wrong? To summarize, I can ping my VIP's if I don't have 1:1 NAT enabled but when I configure the VIP's for 1:1 NAT the ping no longer works.


  • When you use a 1-1, the machine replies to the ping instead of the firewall. You need to have a rule allowing ICMP to the machine (the private IP).

  • I see.

    This isn't very intuitive.

    It may be worth investigating adding ICMP as a protocol option in your Port Forward page so that it creates these rules for you. A text tidbit may be good also on 1:1 NAT tab that indicates how 1:1 works and how to handle things like ICMP.

    Thanks for you help.

  • It is intuitive.
    If you 1:1 NAT someting then your forward EVERYTHING (thus 1:1).

    And adding firewall options to the NAT options is a very bad idea.

    –> Keep firewall rules and NAT rules apart.
    This is one of the big plusses of pfSense.

Log in to reply