Move services to the public IPs of the second provider

viragomann

@trigg3r
The pings might be the gateway monitoring. However, your screenshot shows you're using 1.1.1.1 for monitoring. Did you change this again.

Anyway, you should see the initiated packets from the remote device. You can filter the capture to get a more clear result.

A Former User

@viragomann said in Move services to the public IPs of the second provider:

Anyway, you should see the initiated packets from the remote device. You can filter the capture to get a more clear result.

good idea, but i keep seeing very bad configurations in your pfsense.

trigg3r

@silence said in Move services to the public IPs of the second provider:

from where to which Internal IP and when you want it to work !!

My Zimbra 8.x mail server are exposed on xxx.xx.xx.91 (through NAT).

I have installed a brand new Zimbra 9 mail server and I want to expose it on yy.yy.yyy.155 (through NAT).

I already config all things (rDNS, PTR, Dkim, Dmark, ...) and imapsync all the mailbox, so I may be ready for migration.

Zimbra 9 are on DMZ and pfSense have firewall rule that permit me to succesfully browese the webmail interface from LAN.

A Former User

@trigg3r, post your firewall logs when you can't access through your wan2

and I recommend that you configure your gateway correctly (I see that you are using the default gateway) which is not very recommended when you have multi-Wan

trigg3r

@viragomann said in Move services to the public IPs of the second provider:

@trigg3r
The pings might be the gateway monitoring. However, your screenshot shows you're using 1.1.1.1 for monitoring.

Sorry, I forgot to write that I removed the gateway monitoring for WAN2 (because I also thought it was that, but no ...)

Anyway, you should see the initiated packets from the remote device. You can filter the capture to get a more clear result.

I repeated Packet Capture entering in the Host Address field the public IP of the host from which I attempted to connect to xx.xx.xxx.154 :

• I ping xx.xx.xxx.154
• I navigated https://xx.xx.xxx.154:4433

At the end of the test the Packets Captured window remained empty: no packages captured!

Doubt: do I need Static Routes for outbound traffic of the new /29 subnet?

trigg3r

@silence said in Move services to the public IPs of the second provider:

i keep seeing very bad configuration

Which? What should I correct ??

trigg3r

@silence said in Move services to the public IPs of the second provider:

I recommend that you configure your gateway correctly

Please, can you suggest me the correct way to configure the gateway?

viragomann

@trigg3r said in Move services to the public IPs of the second provider:

Doubt: do I need Static Routes for outbound traffic of the new /29 subnet?

We were talking about inbound traffic which seem not working at all.

For outbound you need an outbound NAT rule, which if it is in automatic mode, pfsense should have set for you. You may check it.

For routing traffic out on WAN2 you may configure policy routing rule (stating the WAN2 gateway in the rules advanced options) to direct specific traffic out, since it is not the default gateway.

But yeah, you can also set static routes pointing to WAN2 gw.

trigg3r

@viragomann said in Move services to the public IPs of the second provider:

We were talking about inbound traffic which seem not working at all.

I agree with you ... My question is due to the fact that the ISP2 help-desk stating that the problems (including not being able to reach WAN2 from Internet ...) could be due to a lack of outbound rules, so all the traffic goes through GW1. I believe that an ISP technician is better than me, so I question myself. But I still think that "Packet Capture" on WAN2 should detect requests from remote hosts anyway ....

I still would like to understand my configuration errors and the correct way to configure the gateway.

viragomann

@trigg3r said in Move services to the public IPs of the second provider:

I still would like to understand my configuration errors and the correct way to configure the gateway.

I don't see any for now. If @Silence can see errors he should tell you what's wrong.

As I stated, when you try to access WAN2 from outside, you should see the packet on the pfSense WAN2 interface. This is totally independently from your firewall or NAT rules or outbound at all.
Hence, if there are no packets, the issue must be in front of pfSense.

This requires of course, that the ISP promise to pass traffic to you. Some ISP may only allow upstream traffic for home users, so that you cannot run a server. But this might not be the case here, since you got multiple public IPs.

If you want to check upstream, simply enable gateway monitoring on WAN2 to 1.1.1.1 again. So pfSense will send ping requests out on WAN2.
Then sniff the traffic. You might see the request only, but no response, since nothing is coming back to you. Ensure that the outgoing request have your WAN2 IP as source.

If so, I cannot think of anything what can cause the issue on pfSense apart from the correct gateway setting on WAN2.

Since your WAN2 gateway is responding to pings, it should as well be reachable from outside. Is it?
I'm in doubt. So you can run traceroute from outside to see how far you come and tell that your ISP technician.

A Former User

@viragomann said in Move services to the public IPs of the second provider:

@Silence can see errors he should tell you what's wrong.

1: Brother, it is pure logic when connecting your wan, the first thing you should do is go to diagnostics and test the connection, have you done it?

2: In Gateway it has the wan1 as default and the rule uses the default gateway, that is (Wan1), it does not know how to configure the rule ??

3: Before complicating your life with complex things, try the basics.

viragomann

@silence
Okay, these are hints to me and assumption without any help, but not configuration errors.

So obviously you no nothing, what's wrong here.

trigg3r

@viragomann @Silence thank you very much for your help!

I was pretty sure about my job, but as I wrote:"I believe that an ISP technician is better than me, so I question myself".

Probably the helpdesk service often has to deal with someone not doing his homework, so they probably insisted that my config wasn't ok (despite what I wrote during a whole week of emails ...)

But after reading this thread probably someone gave up in front of your reputation and ... ta-da! ... this morning everything is working fine ( "A change has been made to the receptive antenna, so please check again if remote access is now possible.").

Thanks again!

viragomann

@trigg3r said in Move services to the public IPs of the second provider:

Probably the helpdesk service often has to deal with someone not doing his homework, so they probably insisted that my config wasn't ok (despite what I wrote during a whole week of emails ...)

The problem is that this behavior make you a lot of work and steals your time, when you're not really a network expert.

But after reading this thread probably someone gave up in front of your reputation and ... ta-da! ... this morning everything is working fine ( "A change has been made to the receptive antenna, so please check again if remote access is now possible.").

Nice to hear. Thx for feedback.