Sympton: Clients not being routed OUT the network to HIT Virtual IPs



  • Hello:

    The setup:
    We are working with pfsense 2.4.3, with Verizon FIOS Static IPs (lets say 123.12.1.166). We also have a another static IP that is setup as a Virtual IP in pfsense (lets say 123.12.1.167) for a webserver. We have a FQDN linked to 123.12.1.167 that resolves to junk.cat.org. We also have a let's encrypt SSL on junk.cat.org.

    The Problem:
    Internal clients are hitting the Virtual IP directly and being redirected pfsense. i noticed the untrusted self signed certificate message of the PFSense management login page.

    Trace Route Data (internal client).
    From a win10 client in the office (behind pfsense) the tracert to the virtual IP (123.12.1.167) yields 1 hop to the host.

    Trace Route Data (external client)
    From a win10 client from my home the tracert on the virtual IP (123.12.1.167) yields 2 hops to the host . 1 hop to my router (192.168.1.1) then the other to the Virtual IP (123.12.1.167). Probably not relevant: I use Verizon Fios at home as well.

    Question:
    What is the best method to resolve this? Is there a way to force all traffic out threw pfsense gateway (192.168.1.1) to come back in to the network to Hit the Static/Public IP?

    Extra (This might be related) :
    While i write this i recall another issue that we could not find a solution and defaulted to a workaround. To use OPENVPN on the network (behind pfsense)to a host in the pfsense DMZ we always need to use a mobile hotspot to connect using openVPN to access DMZ Hosts.

    Thanks in advance for the troubleshooting tips.


  • Rebel Alliance Developer Netgate

    Best choices are:

    1. Fix your local DNS so the hostname resolves to the local address of the web server and not the firewall. (Split DNS)
    2. Enable NAT reflection so requests to the external IP address:port are redirected into the local server (not ideal, but still works)
    3. Setup pfSense with HAProxy so it acts as a proxy instead of only performing NAT functions (more complicated, more room for error, but also works around the problem)

Log in to reply