Hosts on the same network cannot communicate using their public IPs

  • Hi
    We are hosting some virtual servers on dedicated physical servers with OVH and use their vRack system to have multiple internal networks, which are managed by a single pfSense firewall (at the moment)

    However, we are facing an issue where assigned failover IPs are having some communication issues.
    I have done some troubleshooting and the issue seems to apply to hosts/VMs on the same subnet/VLAN. When I fx. try to SSH to a host on the same subnet using the assigned 1:1 nat public IP, then it cannot connect. If I connect to the same host using the assigned internal IP, then it works, as we are not hitting pfSense. If I connect with SSH to a host on a different VLAN, using the public IP of that host, then it connects fine.

    All IP-addresses are created as a virtual IP Alias on the firewall and then a corresponding 1:1 NAT rule is created for pointing the IP to the actual internal host that should use it.

    The firewall is configured so that each VLAN has a default rule that allows everything as long as it is not destined to (The OVH vRack network).
    As some services are located on different VLANs/interfaces, we are using floating rules for any inbound traffic that should be accessible from both the outside world and between networks behind our pfSense router.

    For testing I tried to change the rule of an affected network, so that it allows everything to every destination (allow any to any rule).

    We have enabled NAT reflection with "Pure NAT" method and also checked the "Automatic creation of additional NAT redirect rules from within the internal networks", so that the hosts should be able to communicate with each other.

    As we never seem to hit the firewall layer of pfSense, how can we troubleshoot the cause of the issue?

  • Does anyone have an idea about what is the problem here?
    Basically hosts inside the same network/VLAN are unable to communicate with each other when using their public IP addresses.

    For at website where the cron-job requires calling a file on the domain, using wget or curl, will not work, as it will never be able to connect unless we add every single domain directly in the servers /etc/hosts file.

  • LAYER 8 Global Moderator

  • Thank you for the link. Seems that I had forgotten to set "Enable automatic outbound NAT for Reflection". After setting this, servers were able to communicate with nodes on the same VLAN

Log in to reply