Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Hosts on the same network cannot communicate using their public IPs

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 733 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kenneth-vkd
      last edited by

      Hi
      We are hosting some virtual servers on dedicated physical servers with OVH and use their vRack system to have multiple internal networks, which are managed by a single pfSense firewall (at the moment)

      However, we are facing an issue where assigned failover IPs are having some communication issues.
      I have done some troubleshooting and the issue seems to apply to hosts/VMs on the same subnet/VLAN. When I fx. try to SSH to a host on the same subnet using the assigned 1:1 nat public IP, then it cannot connect. If I connect to the same host using the assigned internal IP, then it works, as we are not hitting pfSense. If I connect with SSH to a host on a different VLAN, using the public IP of that host, then it connects fine.

      All IP-addresses are created as a virtual IP Alias on the firewall and then a corresponding 1:1 NAT rule is created for pointing the IP to the actual internal host that should use it.

      The firewall is configured so that each VLAN has a default rule that allows everything as long as it is not destined to 172.16.0.0/12 (The OVH vRack network).
      As some services are located on different VLANs/interfaces, we are using floating rules for any inbound traffic that should be accessible from both the outside world and between networks behind our pfSense router.

      For testing I tried to change the rule of an affected network, so that it allows everything to every destination (allow any to any rule).

      We have enabled NAT reflection with "Pure NAT" method and also checked the "Automatic creation of additional NAT redirect rules from within the internal networks", so that the hosts should be able to communicate with each other.

      As we never seem to hit the firewall layer of pfSense, how can we troubleshoot the cause of the issue?

      1 Reply Last reply Reply Quote 0
      • K
        kenneth-vkd
        last edited by

        Does anyone have an idea about what is the problem here?
        Basically hosts inside the same network/VLAN are unable to communicate with each other when using their public IP addresses.

        For at website where the cron-job requires calling a file on the domain, using wget or curl, will not work, as it will never be able to connect unless we add every single domain directly in the servers /etc/hosts file.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "other when using their public IP addresses."

          https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • K
            kenneth-vkd
            last edited by

            Thank you for the link. Seems that I had forgotten to set "Enable automatic outbound NAT for Reflection". After setting this, servers were able to communicate with nodes on the same VLAN

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.