Move services to the public IPs of the second provider

trigg3r

I have activated a second hyperlan Internet connection. The new provider says everything is ok but I am not getting any inbound traffic. So I need to find out what's wrong with my setup.

My goal is to move some services from the public IPs of ISP1 to the public IPs of ISP2. I don't want "failover" or "load balancing".

The first ISP1 provider (now running for years) provides a /29 subnet of public IPs, so in pfSense:

• I created GW1 gateway (assigning the IP of the antenna/router that provides the hyperlan connection of ISP1)
• the first IP of the /29 subnet is assigned to WAN1 and uses GW1 as gateway
• the others IPs are entered as "Virtual IPs" and managed with NAT

The new ISP2 provider also provides a /29 subnet of public IPs, so in pfSense:

• I created GW2 gateway (assigning the IP of the antenna/router that provides the hyperlan connection of ISP2)
• the first IP of the /29 subnet is assigned to WAN2 and uses GW2 as gateway
• the others IPs are entered as "Virtual IPs" and managed with NAT

In the WAN2 firewall rules I have enabled:

• ping response
• pfSense admin interface
• https NAT to a test server located in DMZ (that works if I try to reach it from the LAN ...)

The problem: no one of this services result to be reachable from Internet ...

What am I doing wrong?

Thanks for your help.

viragomann

@trigg3r
I assume you have also a public IP subnet on the second WAN.

Sniff the traffic on WAN2 using Diagnostic > Packet Capture, while you try to access the WAN2 address from the internet.
You can use a public port checker service to access your WAN.

If you don't see the packets, your ISP might not pass the traffic to you.

BTW, exposing the pfSense web GUI to the internet is not a good idea at all.

A Former User

@viragomann said in Move services to the public IPs of the second provider:

If you don't see the packets, your ISP might not pass the traffic to you.

error, you looked at the statistics of wan 2 that he sent in the previous publication, it is obvious that if he receives traffic he only has a configuration problem in his pfsense.

@trigg3r in order to help you I should show more information: example from where to which Internal IP and when you want it to work !!

A Former User

@trigg3r said in Move services to the public IPs of the second provider:

My goal is to move some services from the public IPs of ISP1 to the public IPs of ISP2

What are these services that are currently accessible with WAN1?

trigg3r

@viragomann said in Move services to the public IPs of the second provider:

Sniff the traffic on WAN2 using Diagnostic > Packet Capture, while you try to access the WAN2 address from the internet.

This is what I did:

• START Packet Capture (any address, any protocol, any port, ...)
• from a Internet host I browsed https:// xx.xx.xxx.154/
• STOP Packet Capture

and this is the result (part of it, but the others logs are the same):

20:54:36.867140 IP xx.xx.xxx.154 > xx.xx.xxx.153: ICMP echo request, id 2618, seq 347, length 9
20:54:36.867315 IP xx.xx.xxx.153 > xx.xx.xxx.154: ICMP echo reply, id 2618, seq 347, length 9
20:54:37.386856 IP xx.xx.xxx.154 > xx.xx.xxx.153: ICMP echo request, id 2618, seq 348, length 9
20:54:37.387037 IP xx.xx.xxx.153 > xx.xx.xxx.154: ICMP echo reply, id 2618, seq 348, length 9
20:54:37.917608 IP xx.xx.xxx.154 > xx.xx.xxx.153: ICMP echo request, id 2618, seq 349, length 9
20:54:37.917783 IP xx.xx.xxx.153 > xx.xx.xxx.154: ICMP echo reply, id 2618, seq 349, length 9
20:54:38.418742 IP xx.xx.xxx.154 > xx.xx.xxx.153: ICMP echo request, id 2618, seq 350, length 9
20:54:38.418913 IP xx.xx.xxx.153 > xx.xx.xxx.154: ICMP echo reply, id 2618, seq 350, length 9
20:54:38.925620 IP xx.xx.xxx.154 > xx.xx.xxx.153: ICMP echo request, id 2618, seq 351, length 9
20:54:38.925797 IP xx.xx.xxx.153 > xx.xx.xxx.154: ICMP echo reply, id 2618, seq 351, length 9
20:54:39.429629 IP xx.xx.xxx.154 > xx.xx.xxx.153: ICMP echo request, id 2618, seq 352, length 9
20:54:39.429800 IP xx.xx.xxx.153 > xx.xx.xxx.154: ICMP echo reply, id 2618, seq 352, length 9
20:54:39.937592 IP xx.xx.xxx.154 > xx.xx.xxx.153: ICMP echo request, id 2618, seq 353, length 9
20:54:39.937764 IP xx.xx.xxx.153 > xx.xx.xxx.154: ICMP echo reply, id 2618, seq 353, length 9
20:54:40.460634 IP xx.xx.xxx.154 > xx.xx.xxx.153: ICMP echo request, id 2618, seq 354, length 9

It seems to me to see only a continuous ping from the gateway ...

viragomann

@trigg3r
The pings might be the gateway monitoring. However, your screenshot shows you're using 1.1.1.1 for monitoring. Did you change this again.

Anyway, you should see the initiated packets from the remote device. You can filter the capture to get a more clear result.

A Former User

@viragomann said in Move services to the public IPs of the second provider:

Anyway, you should see the initiated packets from the remote device. You can filter the capture to get a more clear result.

good idea, but i keep seeing very bad configurations in your pfsense.

trigg3r

@silence said in Move services to the public IPs of the second provider:

from where to which Internal IP and when you want it to work !!

My Zimbra 8.x mail server are exposed on xxx.xx.xx.91 (through NAT).

I have installed a brand new Zimbra 9 mail server and I want to expose it on yy.yy.yyy.155 (through NAT).

I already config all things (rDNS, PTR, Dkim, Dmark, ...) and imapsync all the mailbox, so I may be ready for migration.

Zimbra 9 are on DMZ and pfSense have firewall rule that permit me to succesfully browese the webmail interface from LAN.

A Former User

@trigg3r, post your firewall logs when you can't access through your wan2

and I recommend that you configure your gateway correctly (I see that you are using the default gateway) which is not very recommended when you have multi-Wan

trigg3r

@viragomann said in Move services to the public IPs of the second provider:

@trigg3r
The pings might be the gateway monitoring. However, your screenshot shows you're using 1.1.1.1 for monitoring.

Sorry, I forgot to write that I removed the gateway monitoring for WAN2 (because I also thought it was that, but no ...)

Anyway, you should see the initiated packets from the remote device. You can filter the capture to get a more clear result.

I repeated Packet Capture entering in the Host Address field the public IP of the host from which I attempted to connect to xx.xx.xxx.154 :

• I ping xx.xx.xxx.154
• I navigated https://xx.xx.xxx.154:4433

At the end of the test the Packets Captured window remained empty: no packages captured!

Doubt: do I need Static Routes for outbound traffic of the new /29 subnet?

trigg3r

@silence said in Move services to the public IPs of the second provider:

i keep seeing very bad configuration

Which? What should I correct ??

trigg3r

@silence said in Move services to the public IPs of the second provider:

I recommend that you configure your gateway correctly

Please, can you suggest me the correct way to configure the gateway?

viragomann

@trigg3r said in Move services to the public IPs of the second provider:

Doubt: do I need Static Routes for outbound traffic of the new /29 subnet?

We were talking about inbound traffic which seem not working at all.

For outbound you need an outbound NAT rule, which if it is in automatic mode, pfsense should have set for you. You may check it.

For routing traffic out on WAN2 you may configure policy routing rule (stating the WAN2 gateway in the rules advanced options) to direct specific traffic out, since it is not the default gateway.

But yeah, you can also set static routes pointing to WAN2 gw.

trigg3r

@viragomann said in Move services to the public IPs of the second provider:

We were talking about inbound traffic which seem not working at all.

I agree with you ... My question is due to the fact that the ISP2 help-desk stating that the problems (including not being able to reach WAN2 from Internet ...) could be due to a lack of outbound rules, so all the traffic goes through GW1. I believe that an ISP technician is better than me, so I question myself. But I still think that "Packet Capture" on WAN2 should detect requests from remote hosts anyway ....

I still would like to understand my configuration errors and the correct way to configure the gateway.

viragomann

@trigg3r said in Move services to the public IPs of the second provider:

I still would like to understand my configuration errors and the correct way to configure the gateway.

I don't see any for now. If @Silence can see errors he should tell you what's wrong.

As I stated, when you try to access WAN2 from outside, you should see the packet on the pfSense WAN2 interface. This is totally independently from your firewall or NAT rules or outbound at all.
Hence, if there are no packets, the issue must be in front of pfSense.

This requires of course, that the ISP promise to pass traffic to you. Some ISP may only allow upstream traffic for home users, so that you cannot run a server. But this might not be the case here, since you got multiple public IPs.

If you want to check upstream, simply enable gateway monitoring on WAN2 to 1.1.1.1 again. So pfSense will send ping requests out on WAN2.
Then sniff the traffic. You might see the request only, but no response, since nothing is coming back to you. Ensure that the outgoing request have your WAN2 IP as source.

If so, I cannot think of anything what can cause the issue on pfSense apart from the correct gateway setting on WAN2.

Since your WAN2 gateway is responding to pings, it should as well be reachable from outside. Is it?
I'm in doubt. So you can run traceroute from outside to see how far you come and tell that your ISP technician.

A Former User

@viragomann said in Move services to the public IPs of the second provider:

@Silence can see errors he should tell you what's wrong.

1: Brother, it is pure logic when connecting your wan, the first thing you should do is go to diagnostics and test the connection, have you done it?

2: In Gateway it has the wan1 as default and the rule uses the default gateway, that is (Wan1), it does not know how to configure the rule ??

3: Before complicating your life with complex things, try the basics.

viragomann

@silence
Okay, these are hints to me and assumption without any help, but not configuration errors.

So obviously you no nothing, what's wrong here.

trigg3r

@viragomann @Silence thank you very much for your help!

I was pretty sure about my job, but as I wrote:"I believe that an ISP technician is better than me, so I question myself".

Probably the helpdesk service often has to deal with someone not doing his homework, so they probably insisted that my config wasn't ok (despite what I wrote during a whole week of emails ...)

But after reading this thread probably someone gave up in front of your reputation and ... ta-da! ... this morning everything is working fine ( "A change has been made to the receptive antenna, so please check again if remote access is now possible.").

Thanks again!

viragomann

@trigg3r said in Move services to the public IPs of the second provider:

Probably the helpdesk service often has to deal with someone not doing his homework, so they probably insisted that my config wasn't ok (despite what I wrote during a whole week of emails ...)

The problem is that this behavior make you a lot of work and steals your time, when you're not really a network expert.

But after reading this thread probably someone gave up in front of your reputation and ... ta-da! ... this morning everything is working fine ( "A change has been made to the receptive antenna, so please check again if remote access is now possible.").

Nice to hear. Thx for feedback.