Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New setup, fighting with public IP's

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    7 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      ppt
      last edited by

      It's probably something I'm overlooking, however I've been fighting with pfSense for quite a while now in order to try 'n get it to work properly. What I'm trying to do is the following:

      [Internet]
                        |
            [switch]
            |                        |
      [pfSense 1] –---- [pfSense 2]
      pu.bl.i.c                pu.bl.i.c
            |                        |
            [switch]
                        |
            [bunch of servers]
                  pu.bl.i.c

      In other words: the uplinks enter the first switch, from there on out both the pfSense nodes get a public IP on their first NIC. Then they're linked together in failover configuration through NIC 2 and then they're supposed to pass on traffic to their 3rd NIC to the servers behind 'm. However the servers behind the pfSense nodes are supposed to have a public IP as well.. I'm starting to wonder if this is even possible, because either I'm missing something or it's simply not possible :/

      Any help would be much appreciated! I've tried following the ancient guide that lead to a transparent (bridged) firewall to no avail.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        That should work as long as the IPs on WAN and LAN are in different subnets.

        Make sure in this case that you also disable outbound NAT (switch to manual and then delete any resulting rules)

        You'll still need firewall rules to allow traffic in to reach the 'internal' public IPs, of course.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • P
          ppt
          last edited by

          What if WAN & LAN are in the same subnet? Would it be completely impossible or just way more complicated?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            Way more complicated. You would have to bridge LAN to WAN in order to do that, and when you involve bridging with a CARP pair it can lead to lots of craziness if you aren't careful. It's really easy to cause a layer2 loop and melt the network down. :)

            There is info here on the CARP board, on the doc wiki, and even more (better) info in the book on dealing with CARP and bridging.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • P
              ppt
              last edited by

              I bought the book but am not 100% sure about the following:

              • I setup 2 nodes, they utilize CARP in this way (fictional ip's):

              node 1:

              wan-ip: 1.1.1.2
              wan-vip (carp): 1.1.1.4
              lan-ip: 2.2.2.2
              lan-vip (carp): 2.2.2.4

              node 2:

              wan-ip: 1.1.1.3
              wan-vip (carp): 1.1.1.4
              lan-ip: 2.2.2.3
              lan-vip (carp): 2.2.2.4

              • I disabled NAT routing, so that every host behind the 2 nodes will display it's own IP on the outside.

              Syncing the rules goes well. I can also setup a host behind the 2 nodes with the lan-vip (carp) as gateway and it'll be able to connect to the WAN with the correct IP. However, I can't connect to the host from the internet.

              Is this because I need to route the 2.2.2.0/24 subnet to my wan-vip (carp) 1.1.1.4? Or am I missing something? :)

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                Are the IPs on the LAN side routed to the WAN CARP IP address? They should be, or the next hop up will have no idea how to get them back to your LAN segment. Traffic may go out and never return.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • P
                  ppt
                  last edited by

                  @jimp:

                  Are the IPs on the LAN side routed to the WAN CARP IP address? They should be, or the next hop up will have no idea how to get them back to your LAN segment. Traffic may go out and never return.

                  No, they're not yet. I wanted to confirm that was indeed what needed to happen. Funny thing is that I can do an icmp ping and get a reply even though it's not routed through the wan carp ip yet. I'll contact our uplink provider.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.