Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sympton: Clients not being routed OUT the network to HIT Virtual IPs

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 2 Posters 212 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sisterpfsense
      last edited by sisterpfsense

      Hello:

      The setup:
      We are working with pfsense 2.4.3, with Verizon FIOS Static IPs (lets say 123.12.1.166). We also have a another static IP that is setup as a Virtual IP in pfsense (lets say 123.12.1.167) for a webserver. We have a FQDN linked to 123.12.1.167 that resolves to junk.cat.org. We also have a let's encrypt SSL on junk.cat.org.

      The Problem:
      Internal clients are hitting the Virtual IP directly and being redirected pfsense. i noticed the untrusted self signed certificate message of the PFSense management login page.

      Trace Route Data (internal client).
      From a win10 client in the office (behind pfsense) the tracert to the virtual IP (123.12.1.167) yields 1 hop to the host.

      Trace Route Data (external client)
      From a win10 client from my home the tracert on the virtual IP (123.12.1.167) yields 2 hops to the host . 1 hop to my router (192.168.1.1) then the other to the Virtual IP (123.12.1.167). Probably not relevant: I use Verizon Fios at home as well.

      Question:
      What is the best method to resolve this? Is there a way to force all traffic out threw pfsense gateway (192.168.1.1) to come back in to the network to Hit the Static/Public IP?

      Extra (This might be related) :
      While i write this i recall another issue that we could not find a solution and defaulted to a workaround. To use OPENVPN on the network (behind pfsense)to a host in the pfsense DMZ we always need to use a mobile hotspot to connect using openVPN to access DMZ Hosts.

      Thanks in advance for the troubleshooting tips.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Best choices are:

        1. Fix your local DNS so the hostname resolves to the local address of the web server and not the firewall. (Split DNS)
        2. Enable NAT reflection so requests to the external IP address:port are redirected into the local server (not ideal, but still works)
        3. Setup pfSense with HAProxy so it acts as a proxy instead of only performing NAT functions (more complicated, more room for error, but also works around the problem)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.