NAT reflection, 1:1 VIP and NAT outbound rule to VIP

Arkanis

Hello!

I am having a strange problem configuring the new multiple subnet setup with Virtual IPS.

The topology is:

WORLD
|
pfSense x.x.7.2 public ip, Public VIPS: x.x.x.216/29 /not the same subnet as gateway/ WAN /NIC0/
|
–- LAN1 PUBLIC /NIC1/ 10.0.0.0/20
-------- some SERVER at 10.0.0.254 --> Virtual IP x.x.x.220 used by means of 1:1 NAT
|
--- LAN2 STAFF /NIC2/ 192.168.0.0/20 --> Virtual IP x.x.x.219
|
--- LAN3 /VLAN on NIC1/ 192.168.254.0/20 --> No VIP

LAN 1 and 2 are on different hardware NICs, whole setup is hardware or VMs.

What I need to accomplish is allow communication from LAN2 STAFF network to the SERVER on LAN1 PUBLIC using its publicly available VIP (xxx.220)

I can easily communicate to VIP xxx.220 from the world and from within LAN1 and LAN3.

LAN2 VIP was set up using outbound NAT rules. /pic1/
LAN1 and LAN2 and LAN3 rules are configured the same and yet I can communicate to xxx.220 from LAN3 but not from LAN2...
what gives? /pic2/

===

EDIT:
8 hours later I figured out that the serwer was connected to that 192.168.0.0/20 network on a second NIC and was confused, that's why it didnt respond.

DanC

Before working on VIPs, NAT, etc… I recommend taking a look at your subnets.  /20 subnets have 4096 hosts available.  Your LAN3 at 192.168.254.0/20 is also not a valid network address.  The correct network address for that subnet would be 192.168.240.0/20 (If you're really trying to use /20 subnets).

If you meant /24 (aka 255.255.255.0), you might want to correct that.  A /20 subnet could probably use further segmentation if you're really working with 4k clients.

Good luck!