Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2nd WAN on same interface using Virtual IP - gateway monitoring ping source does not use this virtual IP

    Routing and Multi WAN
    2
    3
    195
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marcelosb
      last edited by marcelosb

      I have a Netgate 4100 running pfSense 23.01.

      The setup is: LAN4 is usually connected to another firewall, which has internet connection. LAN4 has a /30 private IP address configured in order to talk to this upper level firewall. However, I also added to this interface a Virtual IP, which is a public one, so that we may remotely access this lower level firewall directly in case we have problems with the upper level one. In this case, a local technician will simply connect the ISP cable directly to the lower level firewall.

      I have added the ISP router IP as a gateway to the LAN4 interface.

      However, here is the problem: when the technician does connect the ISP cable directly to the lower level firewall, the ISP gateway is never recognized as being "up", because the firewall uses the "physical" LAN4 IP as source for the ping requests. Since the ISP router is not on the same subnet as this physical IP, it does not answer.

      The ISP router is, however, on the same network as the virtual IP I added to the interface. Even the ARP request for the MAC address of this router is sent asking for answers to be sent to the Virtual IP, not the physical one. After getting the MAC by this ARP request, however, the firewall does not use the Virtual IP as source for the pings.

      Anyone knows why or how to fix? Thanks.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @marcelosb
        last edited by

        @marcelosb
        It would be better to use a separate interface for this connectoin.

        In this setup, if there is no real need to communicate with the router, you can consider to configure a public gateway monitoring IP instead.
        Or you just override the outbound masquerading for ICMP packets to this router.

        M 1 Reply Last reply Reply Quote 0
        • M
          marcelosb @viragomann
          last edited by

          @viragomann thanks for the suggestions. Masquerading could work, I see.

          I will not be trying this only because I found a workaround that suits what I needed, even if it's not a solution that would apply to everyone. For information to other forum members: I disabled the monitoring of the public IP gateway, so now it is considered always up. I made a gateway group with the private and public IP gateways, and configured private as tier 1 and public as tier 2. Then I made this gateway group the default gateway of the firewall. Now thing work as I had planned: if the upper level firewall is connected to LAN4, it becomes the gateway. If it is disconnected and the ISP router is connected to LAN4 instead, the router becomes the gateway.

          The use of the "physical" IP only occurs for the monitoring ping. When routing packets to the public IP gateway, the firewall uses the virtual IP and everything works just fine.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.