Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get to Internet from LAN VIP

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    9 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SteveITS Galactic Empire
      last edited by

      We have a working setup in our data center with public IPs on LAN, no NAT. It has a HA setup. A client wanted us to add their own subnet which we've done as VIPs on LAN (IP Alias, and a shared CARP alias).

      On our router1, our subnet from the data center 74.x.x.2/25 is assigned to a hardware interface (LAN) with .1 as the shared/CARP IP alias. An IP from our client's subnet 208.x.x.2 is a virtual IP alias on LAN with .1 as the shared IP. The routing table shows the 208.x.x.0 subnet on that LAN interface, same as 74.x.x.0/25. Our routers can ping each other using the new IPs.

      If I traceroute from 208.x.x.1 to 8.8.4.4 I get zero hops. Which would indicate our router isn’t routing out, even though it’s the default route and 8.8.4.4 is explicitly listed in the router's routing table since it’s a configured DNS server in pfSense. 208.x.x.2 has no gateway set, that’s not actually possible in the web GUI when creating a VIP.

      Interestingly I can ping our WAN gateway 64.x.x.145 from source IP 208.x.x.2. However if I traceroute to the second hop 206.41.110.37 I do not get an answer from 64.x.x.145. Which sounds like a routing problem to me.

      Am I missing something that would let traffic from 208.x.x.2 to 8.8.4.4 get routed to the gateway?

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @SteveITS
        last edited by

        @steveits said in Can't get to Internet from LAN VIP:

        A client wanted us to add their own subnet which we've done as VIPs on LAN (IP Alias, and a shared CARP alias)

        Both, an IP alias and a CARP VIP?

        On LAN, where there is already a CARP setup?

        Why don't you configure a VLAN for the additional subnet?

        S 1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @viragomann
          last edited by

          @viragomann They’re all VMs on the same cluster so it is essentially routing in parallel. They were going to use our IPs until they sprung their block on me.

          An IP in the subnet is needed on both routers plus the shared IP. Unless it only needs the additional shared IP in this setup??

          The data center thinks (shows) it is being routed to our WAN IP just like the LAN subnet.

          I am confused why I can ping the gateway from the router but a traceroute past it has no response.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @SteveITS
            last edited by

            @steveits
            Generally it's a good advice to put each subnet into a separate network segment, even with VLANs if they need to be connected to the same interface, but yes, you can also assign both to the same interface directly.
            However, in the latter case you don't need a CARP VIP at all. Simply hook up an IP of the new subnet onto the existing LAN CARP VIP.

            But not sure if this causes your issue.

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @viragomann
              last edited by

              @viragomann said in Can't get to Internet from LAN VIP:

              you don't need a CARP VIP at all. Simply hook up an IP of the new subnet onto the existing LAN CARP VIP

              How does one accomplish that? When creating a VIP I have a choice of one address or a network, not multiple addresses.

              Or are you saying the LAN IP in that subnet is not necessary and I only need the shared CARP VIP? That could work for connectivity though it would mean router2 couldn't access that IP until failover.

              re: VLAN, they're not really being isolated, it's a public IP anyway. If it wasn't the new subnet it would be the existing subnet.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote 👍 helpful posts!

              V 1 Reply Last reply Reply Quote 0
              • V
                viragomann @SteveITS
                last edited by

                @steveits
                What I tried to say, you don't need more one CARP on a single interface and it's not recommended to create more.

                You have 74.x.x.1/25 CARP VIP assigned to LAN already. Then assign a VIP of type IP Alias to this CARP and state the IP 208.x.x.1.
                So you can use it as gateway then.

                That could work for connectivity though it would mean router2 couldn't access that IP until failover.

                That might be correct. But do you need this?

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Galactic Empire @viragomann
                  last edited by SteveITS

                  @viragomann I tried moving a few VIPs to IP Alias. It worked for a couple but when I added the third, both routers showed that one CARP interface as Master on the status page even though the system logs on router2 clearly showed router2 was backup. For some reason separating that last one out resolved that. Maybe it was just a display issue, I'm not sure. Traffic seemed to be flowing fine in that state.

                  However using IP Alias didn't solve my issue.

                  Source IP 208.x.x.1 (on LAN) can ping WAN gateway 64.x.x.145.

                  Traceroute from 208.x.x.1 to 8.8.4.4 does not get a response from that gateway.

                  Edit: Outbound NAT is set to Manual and there are only two rules, for localhost and one private subnet that is NATted. Is it possible it's trying to NAT and can't? (but it's a public IP...)

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  V 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @SteveITS
                    last edited by viragomann

                    @steveits
                    I don't think that pfSense does nat as there is no rule for this public subnet.
                    I suspect, that the default gateway doesn't accept upstream traffic from this subnet.

                    Do you have another gateway for it? If so you probably can policy route this source network to the proper gateway.
                    However, this wold only work for outgoing connections if you have a single WAN.

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Galactic Empire @viragomann
                      last edited by SteveITS

                      @viragomann said in Can't get to Internet from LAN VIP:

                      the default gateway doesn't accept upstream traffic from this subnet

                      Yeah, I asked the data center this question (again), and that was it. 🙄 So apparently it was routing inbound but not allowing replies or outbound.

                      Thanks for being a sounding board.

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote 👍 helpful posts!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.