problems with Virtual IP's and port forwarding
-
hello All!
Im flamboozled on using Virtual IP's and port forwarding. Here is an explanation of my system.
If someone can see why I cannot access the server from outside I'd be very thankful.....
framework of traffic flow:
8 static public IP from suddenlink
(example)
208.180.145.111
208.180.145.222
208.180.145.333
.444
.555
.666
.777
.888Using netgate sg4860 appliance
208.180.145.111 is primary WANLAN port is 192.168.2.1 /24 and Ipchicken shows 208.180.145.111 as IP
I am using OPT1 for my server
local address on OPT1 = 192.168.222.1 /24 ( to match 2nd public IP )The others are Virtual IP's
Virtual IP's are constructed as:
Type: IP Alias
Interface: WAN
Address type: single address /24Port Forward rules for the OPT1 server are:
interface: WAN (also tried the VIP 208.180.145.222)
Protocol: TCP (tried tcp/udp as well)
Destination: WAN
Destination Ports: other; 6660 TO 6669 (is chat server)
Redirect target IP: 192.168.222.101 (IP of server chat software is on)
Redirect target port: other 6660
NAT reflection "use system default"
Filter rule association: "add associated filter rule"I cannot connect to the chat server externally.
Internally from the chat server I can ping anywhere and access web, but nothing gets in -
You need to make sure that the answer the server sends leaves via the vip.. If you forward say .100 to your box but the answer comes from your .200 IP on the wan interface then most clients would not work.
Simple sniff would for starts show you the traffic gets to your wan interface on the vip. And then sniff on your opt to make sure pfsense sends it on and your server answers.
Then validate where your answer is leaving your wan from the native IP or your vip.
-
You need to make sure that the answer the server sends leaves via the vip
This is done via Firewall/NAT/Outbound. Create a manual rule like:
source: 192.168.222.101/32
NAT address: 208.180.145.111Then the default rule for 192.168.222.0/24 with NAT address of "WAN address" is below that and will pick up all other PCs for the "normal" WAN IP.
-
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting