Virtual IP questio : traffic to a VIP doesnt seem to route
-
To setup a switch (factory 192.168.1.3 for the management interface) I need to add a temporary ip address (192.168.1.4) on a regular interface (vlan 10 on a intel networkcard, 192.168.4.0/24). Using VIP I have added the temporary ip address (192.168.1.4/24) to the interface and this seems to work. From the pFsense firewall I can ping and portscan the switch (192.168.1.3).
My management PC is on a different interface (172.26.9.50/24). On this interface there is an IP floating rule to allow all ipv4 traffic to anywhere. This work fine for the other devices on the regular interface (192.168.4.0/24). From the management system I can not reach the 192.168.1.3 device. In the logging I can see it accepts the traffic to the 192.168.1.3 address. In the routing information
The Nat settings are default (Automatic outbound NAT rule generation). The pfsense is connected to 2 WAN interfaces (failover mode, works fine).
What am I missing? Why can’t I reach the 192.168.1.3 device?
-
@boumacor Is there a firewall on the 192.168.1.3 device and/or does it allow connections from 172.26.9.50/24?
-
@SteveITS Thanks for your answer. The switch is an Zyxel GS1200-5HP v2, there should not be a firewall. Is the configuration of the pFsense firewall "in the right direction" ?
-
@boumacor I'm not a huge fan of floating rules if they can be set as regular rules, since the, er, rules change for floating. Just to maintain clarity. However if the rule triggers and a state is open you're through pf.
Does the pfSense routing table show a route for the 192.168.1.0/24 subnet?
I would still be suspicious of the switch ignoring traffic outside its own subnet unless you're sure it will allow it. You could set an IP on some other device and ping it, to check the connection through pfSense.
