Virtual IP set to Nat inside

  • Love PFsense, but this one area gives me trouble and limits my use.  I have a network with a single internal network. Say 192.192.192.x/24. I have a range of public IPs Say I have assigned to my Wan interface. Setup some Nat/Rules that use that default address. All happy.  I know want to assign as virtual IP and setup forwarding of certain ports. I setup the virtual addresses as Carp and some as other to test.  I then went to Nat, setup the Nat selected the Virtual IP. It setup the Nat and then the rule. No luck. Is there a good tutorial with screen captures for the simple among to help with this.  I am looking at using pfsense a lot more if I can get this part right.

  • 192.192.192.x/24 is NOT a private subnet.
    172.16.2.x/24 IS a private subnet and NOT a public one.
    This should help you:

    From what you describe how you've set your NAT up it should just work.
    If you could post screenshots of:
    your NAT rules,
    VIP settings,
    firewall rules

    someone should be able to help you.

  • Made these up so as to not post the real subnets.. I will take some screen shots and post. Thanks

  • I, too am having the same issue.  Very simple setup, just not working.  I can't get screenshots at the moment because I had to switch back to my Endian firewall for the time being.

    All interface NATs are working, but NATs to the VIPs are not.  When I set up the NAT rules, for each one I told it to go ahead and create a matching firewall rule to allow it to work.  I thought it odd that the destination address on the firewall rule that was generated was the inside host and not the VIP.  I am assuming this means that the NAT happens before the firewall rules?


  • @rwebb616:

    I am assuming this means that the NAT happens before the firewall rules?


  • Correct.

    Any clues why this wouldn't be working?

  • Rebel Alliance Developer Netgate

    If the port forwards on the main IP work, but VIPs do not, you may have chosen the wrong VIP type, or the routing on the ISP side is not set to hand those off in the right way (or the way you think/expect).

    In order to say for sure, we would need to know exactly what you used for settings, screenshots preferably for the NAT rule, Firewall rule, VIP settings, etc. Without that information we can't say anything with any amount of certainty.

  • you may have chosen the wrong VIP type, or the routing on the ISP side is not set to hand those off in the right way (or the way you think/expect).

    I'll do my best to describe my setup.  I have a T1 with a 1720 router.  The ISP is routing two 6 ip subnets to the router.  I'm using ip unnumbered so I have one public from each subnet on the ethernet port which becomes my gateway address for pfSense.  The interface address for pfSense is just from the first IP subnet.  The first subnet is where most of the VIPs are used.  I have very little on the second subnet as of yet.

    I'm currently running Endian Community firewall which is working with this setup.  They call the Virtual IPs aliases on their setup.  I have aliases set up for the IPs in both subnets and they work in port forwards so I'm fairly confident it's not a routing issue.

    On pfSense I set up single addresses under Virtual IPs and set them up as Proxy Arp since I'm not running a failover.  I didn't try them as carp.  They show up in the port forward rules when I create a new rule.

    I will try to get some screenshots when able.  During the day I can't really take it down to switch over to pfsense because I am hosting things for my customers on the connection.  I'll have to wait until the evening.  Then usually my wife is surfing on the connection so I have to wait until she's done with that ;)

    Oh another piece to the puzzle is that I'm running pfsense on vmware at the moment.  I'm just doing that for testing and when I know everything is working I'm planning to move it to a physical box.


  • Rebel Alliance Developer Netgate

    That's a rather ugly way to do routing, and not how it usually happens. What you normally would do is have the second subnet routed to your firewall's IP in the first subnet.

    pfSense 1.2.3 doesn't officially support IP aliases, but they are available in 2.0. There are ways to hack them into the 1.2.3 config so they work but the GUI doesn't support them.

  • Are there any tutorials out there that show a typical virtual IP setup?  The interface seems relatively self-explanatory, the port forwarding just isn't happening.

    Another weird thing that happened when I had pfSense in place is that I couldn't rdp to one of my customer's servers.  When I put the Endian back in place it worked fine.  I didn't dig into anything at the time to figure out why, but all outbound connections from the lan to the wan were supposed to be permitted based on the first firewall rule that is there by default.


Log in to reply