Routing not working for additional public IPs
-
Hi,
I have been using Pfsense+ successfully until now this point where I wanted to route packets to an additional public IP (xx.xx.133.136). My current network setup is like below:
I tried the steps mentioned in this video: https://www.youtube.com/watch?v=JGZvJOiZ5Tg&t=316s
But, I am unable to get the packets to the system I wanted via port forwarding.
Can anyone please help?
-
Are they connected to the same NIC port or different ports in the NIC?
-
@cubits Along those lines a VIP is the typical way to accomplish this:
https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.html
Then use either 1:1 NAT or outbound NAT to control the outbound connections. (1:1 automatically sets up outbound) -
@SteveITS I tried that, but without outbound, I think I should not use 1:1 NAT and would like to only use a port forwarding, which I think is more secure than letting everything?
-
@Cool_Corona same NIC I believe, the ISP people do have not much idea unless I really escalate to the top. I thought I will check here rather.
-
@cubits You can use port forwarding for inbound.
What exactly isn’t working? Can you show the VIP configuration?
-
@cubits said in Routing not working for additional public IPs:
@Cool_Corona same NIC I believe, the ISP people do have not much idea unless I really escalate to the top. I thought I will check here rather.
Using 1 port only or does the nic have multiple ports?
-
@Cool_Corona one NIC only
-
-
@cubits Does outbound work from that server 10.110.0.22? Is there a firewall on that server and does it allow packets from outside its subnet?
-
@SteveITS i have a port forwarding to this server on the main IP and it works fine.
-
@cubits If you allow ICMP to the alias IP can you ping it or traceroute it from something on the Internet?
-
@SteveITS I did the ICMP, and the main IP is pingable and tracerouteable. The additional IP on traceroute gives destination host unreachable from another host which is not present in the route of the main IP.
-
@cubits It should be. If the inbound traceroutes use different paths, maybe your ISP is not routing your entire /24 block to you?
-
@SteveITS It should be very well correct. It is just one IP in the subnet and other users might be using other IPs from the same subnet.
-
@SteveITS how to get around this?
-
@cubits said in Routing not working for additional public IPs:
other users might be using other IPs from the same subnet.
? They can't if it's your subnet. Are these only two unrelated/not-consecutive IPs and not a subnet block? I suppose that would work but the inbound routing still needs to go through the same router as your original IP, to get to you.
-
@SteveITS just wanted to confirm that, and that's exactly what I thought about it, at least it should route new IP until the original IP, I will contact them and discuss further and post back later.
-
@SteveITS spoke to the network engineer from ISP and he asked to place a switch between wan and pfsense, and connect them to separate NIC as the whole block of IP is not forwarded. I have orderd the hardware and will test and let know here.
-
@SteveITS I have updated my setup like below. I had to use a router as both IPs since they are on the same subnet couldnt be used in the PFSENSE. As it is now, I can ping the router default gateway from within PFSENSE, but not from my LAN or by any OpenVPN client.
