In dire need of direction

  • Complete new user here.  Worked all night last night and cant get this right.  Not a very difficult setup - and cant find anywhere on the forums with a step by step approach for newbies.  hoping someone can kindly shed some light.

    Have 5 static IPs with Comcast.  .x69-.x74, with .x74 being the gateway, netmask
    Pfsense box assigned first ip, comcast modem is in 'bridge' mode. 
    I setup a virtual ip for one of the other static wan ips, .x72
    server has an internal lan ip of assigned by pfsense.
    tried to set up a rule to forward wan to the

    cant access server as it is being blocked by pfsense.

    server is connected to a switch, where other pcs are also connected - no issues surfing or anything as i have outbound rules to allow access to the wan. 
    but, like i said, i cant get to my server.  please help.  even if you could point me in the right direction - i can read about it, but options are limited on the net. thanks

  • Can you elaborate on how you test that connections to the server are blocked?
    And more importantly from where do you test.
    Firewall logs?
    Firewall rules, NAT rules (normal/1:1), AoN rules, VIP settings, etc.

  • Sorry for being vague…Ill do my best to explain further:

    1.  Not sure what you mean - but I presume the server was blocked because I cannnot access the site.  When I switched off the pfsense and just routed as before (through my router), the site was accessible.  Then turned pfsense back on and I couldnt get through.  Also asked my wife to attempt to access from outside our internal network and same result.  Was my presumption wrong?

    2. I tried to look through the logs but I actually couldnt find anything that showed that it was blocking that specific static ip.  Maybe I am missing something glaring.

    3  Ive tried so many different combinations of firewall rules, etc.  As it currently stands, this is what I have as far as settings:

    • set up virtual ip with static ip (x72).  I didnt know whether to select Proxy or Carp  -but it is on Carp right now because I think I read somewhere thats what it should be on.
    • Have 1:1 NAT setup from external public of x72 WAN (subnet 32) routed to ip subnet 32
    • have firewall rule for WAN for any interface mapped to http port of single host

    Thats really it.  everything else i left alone - except for dhcp, which is enabled on the pfsense.

    I believe I read somewhere that my server needs to be on a separate subnet, which actually be my preference.  I tried to set one up, using OPT1 but that didnt work either as I couldnt figure out how to get the server with a LAN 2 address of  So i have since gone back and tried to keep it simple.

    I really think what I am missing is something glaringly stupid.  My setup is: SMC Comcast modem -> pfsense box -> switch.  On the switch I have the server connected, as well as the rest of my home lan pcs.

    thanks a million for willingness to help

  • Can you enable logging for the rule which allows access to the server?
    If traffic passes the pfSense it should show up in the log.

    Could you show screenshots of the things i asked before?
    It's a lot more clear what you actually have configured than describing it with words.
    (You always could have something missconfigured)

  • of course…i can do that...give me a few.  i enabled logging and will post screenies.  give me 10 mins pls

  • ok i took a few screenshots - hope this is what u need.  they are here:

    also, this was in my system log…first time ive seen an entry like this that refers to the public static ip of the server.  (x72) in the firewall log nothing is reported to the 72 address...only the 69 which is the address of the pf sense

    kernel: arp: x.x.x.x.172 is on re0 but got reply from 00:24:1d:b5:4c:41 on nfe0

  • There dont seem to be any files in the link you posted.
    You can simply attach jpegs or gifs here in the forum in a normal post.

    The logentry you posted means that an ARP-entry for an IP/MAC pair exists for an interface, but traffic for this was received on another interface.
    Which interfaces are re0 and nfe0?

  • sorry about that.  nfe0 is the wan and re0 is the lan.

    here are screens.  this is of the nat settings.

  • and the rule screen:
    one of the overview and one of the config.  which else do you need?
    hopefully they are legible enough for you…lemme know if not.

  • Ok i get it - regarding the log that you explained.  that was just me trying to access the server from within my lan, right?  so i need to create a rule that allows this.  still though, cannot explain why it cannot be accessed from outside the lan.  thanks in advance for your help

  • Did you per chance create the VIP on the LAN interface?
    This would be consistant with the ARP message you got.

  • I dont think so - here is a screenshot of my virtual ip creation.

  • I gather it is not something glaring then, given it didnt jump out at you?

    Perhaps you can, if you dont mind, summarizing the necessary steps one should take to accomplish this…maybe I can understand it better and the problem will come out.

    ie:  Goal is to have 2 subnets, on one interface.  One subnet (subnet1) is for internal lan/pcs/home network.  Other subnet (subnet2) is for webserver.  Webserver is nat'd with public static ip.  the other static ip is shared by all other pcs on subnet 1.  subnet 1 can access the servers, but the server subnet can only respond to requests from subnet 1 - otherwise they cannot access the internal LAN.

    So to do so, I just need to understand the steps one should take to achieve this.
    a.  Setup subnet 1 - do x,y,z
    b. etc, etc.

    I am sure this would be of help to someone in the future.  I will definitely be writing something up once I get this figured out...hopefully soon.

    Thanks again,

  • You missconfigured your VIP.
    You've set as subnet /32 but it should be the netmask of the real interface.
    ( the note there tellling you this is not just a joke)

  • OMG.  Yes, i have been staring at this too long.

    Stay tuned…I am sure that was the problem.  Youre a life saver.

Log in to reply