problems with Virtual IP's and port forwarding



  • hello All!

    Im flamboozled on using Virtual IP's and port forwarding. Here is an explanation of my system.

    If someone can see why I cannot access the server from outside I'd be very thankful.....

    framework of traffic flow:

    8 static public IP from suddenlink

    (example)
    208.180.145.111
    208.180.145.222
    208.180.145.333
    .444
    .555
    .666
    .777
    .888

    Using netgate sg4860 appliance
    208.180.145.111 is primary WAN

    LAN port is 192.168.2.1 /24 and Ipchicken shows 208.180.145.111 as IP

    I am using OPT1 for my server
    local address on OPT1 = 192.168.222.1 /24 ( to match 2nd public IP )

    The others are Virtual IP's
    Virtual IP's are constructed as:
    Type: IP Alias
    Interface: WAN
    Address type: single address /24

    Port Forward rules for the OPT1 server are:

    interface: WAN (also tried the VIP 208.180.145.222)
    Protocol: TCP (tried tcp/udp as well)
    Destination: WAN
    Destination Ports: other; 6660 TO 6669 (is chat server)
    Redirect target IP: 192.168.222.101 (IP of server chat software is on)
    Redirect target port: other 6660
    NAT reflection "use system default"
    Filter rule association: "add associated filter rule"

    I cannot connect to the chat server externally.
    Internally from the chat server I can ping anywhere and access web, but nothing gets in


  • Rebel Alliance Global Moderator

    You need to make sure that the answer the server sends leaves via the vip.. If you forward say .100 to your box but the answer comes from your .200 IP on the wan interface then most clients would not work.

    Simple sniff would for starts show you the traffic gets to your wan interface on the vip. And then sniff on your opt to make sure pfsense sends it on and your server answers.

    Then validate where your answer is leaving your wan from the native IP or your vip.



  • You need to make sure that the answer the server sends leaves via the vip

    This is done via Firewall/NAT/Outbound. Create a manual rule like:
    source: 192.168.222.101/32
    NAT address: 208.180.145.111

    Then the default rule for 192.168.222.0/24 with NAT address of "WAN address" is below that and will pick up all other PCs for the "normal" WAN IP.