Routing to multiple public networks on LAN

LittleCreek · Apr 17, 2020, 4:36 PM

Hello. My pfsense server is in a data center with all public ips. I have 4 /24 networks. I was able to set up the WAN interface and LAN interface and from the outside I can ping the LAN interface x.x.29.1. The LAN connects to a switch and I have a bunch of servers connected to that switch. I can ping all of the ips on the same network as the LAN ip.

I set up the virtual interfaces with the other networks. x.x.10.1, x.x.27.1, and x.x.7.1. I cannot ping the machines with these ips. Its like pfsense is not routing the ips that are part of the virtual interfaces.

Is this not the right way to do this? Thanks for your help.

akuma1x · Apr 17, 2020, 4:45 PM

It's been a couple of years since I had multiple public address available to me, so I'm a little bit rusty on the specifics, sorry...

But, did you setup any NAT's for these VIP's? I'm pretty sure that's a big part of the equation, to get the traffic, including pings, to the appropriate internal machines.

https://docs.netgate.com/pfsense/en/latest/book/firewall/virtual-ip-addresses.html

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-address-feature-comparison.html

Jeff

LittleCreek · Apr 17, 2020, 4:47 PM

I may have found it but let me ask first before I take down my other router again. When adding the virtual interface I think maybe I should set the netmask to /24. By default its set to /32 which I didn't even see because its further to the side.

LittleCreek · Apr 17, 2020, 5:19 PM

@akuma1x

I don't think NAT is required or even desired with public ip's. Otherwise, for example, email that goes out will show the router WAN ip as the source instead of the actual machine.

LittleCreek · Apr 17, 2020, 6:11 PM

My mistake was the default /32 when creating virtual interfaces. Changing it to /24 allowed me to ping the other ips on the inside. Again this is for public ips. I am sure for private ips NAT will be required.

akuma1x · Apr 17, 2020, 7:52 PM

@LittleCreek said in Routing to multiple public networks on LAN:

Again this is for public ips. I am sure for private ips NAT will be required.

Yeah, you're probably right. Like I said, it's been a while, and I'm pretty sure what I did was 1:1 NAT a couple of extra public IP addresses I had to some internal machines.

Glad you figured it out!

Jeff

LittleCreek · Apr 17, 2020, 9:18 PM

Well incoming pings work from the outside but now no traffic originating from the inside can get out. When I turn off the firewall it all works. pfctl -d

LittleCreek · Apr 18, 2020, 7:37 PM

Anybody have any ideas on this?

LittleCreek · Apr 18, 2020, 8:30 PM

I have a public ip on the WAN. The data center routes all of my ips to that WAN ip.

On the LAN I have 4 /24 addresses.

When I have pfctl -d it all works. As soon as I pfctl -e then it stops working.

I can't seem to find anybody who uses pfsense in a data center with public ips.

Derelict · Apr 19, 2020, 3:03 AM

There is nothing special about it.

They are just addresses.

You should disable NAT for the public addresses in use on the inside.

Well incoming pings work from the outside but now no traffic originating from the inside can get out. When I turn off the firewall it all works. pfctl -d

Do you have rules passing the traffic into that interface from those hosts?