Virtual IP subnet cannot connect to internet

BlueSun · Sep 17, 2023, 1:01 PM

I have a PFServer firewall with 1x WAN (IP: 156.x.x.x), 1x LAN (IP 192.168.100.0/24 and 1x Virtual IP (IP 10.0.0.0/24) in front of a Proxmox server.

When I assign a LAN IP to the host, or a VM (i.e. 192.168.100.14/24 I can ping 8.8.8.8 and connect to the internet as normal.

But when I assign 10.0.0.14 to same Proxmox host, or VM (as a test) I cannot ping 8.8.8.8 or connect to the internet.

10.0.0.14 can ping 10.0.0.1, as expected.

Automatic outbound NAT rule generation.
(IPsec passthrough included)

is setup under the NAT menu.

What else should I be setting up?

johnpoz · Sep 17, 2023, 1:09 PM

@BlueSun said in Virtual IP subnet cannot connect to internet:

What else should I be setting up?

An actual separate vlan.. Running multiple L3 on the same layer 2 is not a good solution.

Did you forget to set the gateway on this 10.x client? Did you adjust firewall rules to allow your vip network. Did you make sure your dns on pfsense is listening on the vip?

Here I just duplicated your setup..

But again - this is not really a good way to do it.

Now its possible the "lan net" of the firewall rules might now include the vip. I am not sure on that, so it would be best to allow the new virtual network you created. But when you run multiple L3 on the same L2 there is no actual isolation between these networks because they are on the same L2 network.. I is not a very good solution for bringing up a new network.

BlueSun · Sep 17, 2023, 6:53 PM

@johnpoz said in Virtual IP subnet cannot connect to internet:

@BlueSun said in Virtual IP subnet cannot connect to internet:

What else should I be setting up?

An actual separate vlan.. Running multiple L3 on the same layer 2 is not a good solution.

I don't run VLAN's, as I don't know how to properly setup a VLAN yet. I have yet to figure out how to get VLAN's working on the Mikrotik switches, so I need to get this 2nd network working first. I run CEPH on 10.0.0.0/24 on Proxmox, which I cannot change. So before I add a VLAN for this IP range, I need to get it working.

@johnpoz said in Virtual IP subnet cannot connect to internet:

Did you forget to set the gateway on this 10.x client? Did you adjust firewall rules to allow your vip network. Did you make sure your dns on pfsense is listening on the vip?

The gateway, 10.0.0.1 is set on the client, and I can ping 10.0.0.1.

Yes, I created a firewall rule to allow the VIP network

But your screenshots helped a lot. There's an Automatic NAT Rule, which I don't see, so I added the two you have and can now ping 1.1.1.1 and some other internet IP's.

@johnpoz said in Virtual IP subnet cannot connect to internet:

johnpoz · Sep 18, 2023, 6:17 AM

@BlueSun said in Virtual IP subnet cannot connect to internet:

There's an Automatic NAT Rule, which I don't see

You said your outbound rules were auto and it was added, I was just adding that screen for completeness

BlueSun · Sep 18, 2023, 6:17 AM

@johnpoz said in Virtual IP subnet cannot connect to internet:

@BlueSun said in Virtual IP subnet cannot connect to internet:

There's an Automatic NAT Rule, which I don't see

You said your outbound rules were auto and it was added, I was just adding that screen for completeness

Well, I set the outbound NAT rules to Automatic, but for some odd reason it didn't create the rules you have in your screenshot, so I had to add them manually.