Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Ping VIP Used In 1:1 NAT

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 3 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      compucoder
      last edited by

      Hello,

      I am testing out pfSense to replace the firewall I built with Ubuntu and Shoreline and have hit a few snags and have solved all but 1 myself.

      I have 5 public IP's which I setup 1 as WAN and the other 4 as Virtual IP's on the WAN using CARP and different VHID's per IP - I don't need any fail-over.

      I have the 4 VIP's setup with 1:1 NAT to my servers and all the Port forwarding is working great so I know things are working. When I add an ICMP rule to WAN directly I can ping my first IP no problem. When I try and ping any of the VIP's I get no response even though I have the exact same type of ICMP rule on those VIP's just like the WAN.

      Now, when I take the 1:1 away from those VIP's the ping works. This doesn't make any sense to me.

      Anyone know what may be wrong? To summarize, I can ping my VIP's if I don't have 1:1 NAT enabled but when I configure the VIP's for 1:1 NAT the ping no longer works.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by

        When you use a 1-1, the machine replies to the ping instead of the firewall. You need to have a rule allowing ICMP to the machine (the private IP).

        1 Reply Last reply Reply Quote 0
        • C
          compucoder
          last edited by

          I see.

          This isn't very intuitive.

          It may be worth investigating adding ICMP as a protocol option in your Port Forward page so that it creates these rules for you. A text tidbit may be good also on 1:1 NAT tab that indicates how 1:1 works and how to handle things like ICMP.

          Thanks for you help.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            It is intuitive.
            If you 1:1 NAT someting then your forward EVERYTHING (thus 1:1).

            And adding firewall options to the NAT options is a very bad idea.

            –> Keep firewall rules and NAT rules apart.
            This is one of the big plusses of pfSense.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.