VIP setting



  • Here's the setup :

    First pfsense box (Box 1) acting as load balancer , OpenVPN Server for branches and dhcp server for Box 2.

    Second pfsense box (Box 2)  acting as firewall, content filter.

    Two Servers , Server1 and Server 2 are behind the firewall .

    All the branches connect to Box 1 through OpenVPN and rdp to Server1. (rdp port 3389 is opened in Box 2  and port forwarded to server 1)

    Now I want to assign another IP to Box 2 (VIP) which should port forward to server 2. So that users when use this IP for rdp they are forwarded to server 2.

    My Plan :

    My plan is to have Virtual IP in Box 2 with IP Alias. Then port forward for this IP to server 2.

    I am not sure about this settings so don't want to take any chance.

    Also is there any changes I need to make in Box 1 (as it is the dhcp server for box 2).

    Any help.

    Regards,
    Ashima



  • I haven't received any response. I just want to confirm if I use virtual Ip with Ip Alias and do a port forward to second server will it work. Since the Pfsense box is at the remote location (at the head office where all branches connect) I don't want to take any chance.

    Also should I have to make any change in  BOx 1 (the load balancer) as it is the dhcp server fox box 2.

    As I am going to make these changes remotely I just want to confirm my step.

    Any Help ?

    Regards,
    Ashima



  • If you're providing services behind box 2 it's recommended to have static IPs for that.
    Why you want to use dynamic IPs on that box?



  • Thank you viragomann.

    I am using mac-ip binding in box1 so box2 always get same Ip.

    I can of course make box2 to have static Ip if that serves  the purpose.
    My question is about assigning another Ip  (virtual ip) to box2 so that I can access server2 with same port as server 1.

    Thanks,
    Ashima.



  • Yes, of course you may assign additional IP aliases to WAN and forward it to the server.
    It would also work if the primary is pulled from DHCP. So if you have a static mapping it will be fine to provide a service.
    However, the IP aliases have to be static.