PfSense VIP with UK ADSL connection just not working.
I know this question has been asked before, but even after trawling through all the posts on this forum that the search brought up, I'm none the wiser - sorry for the long post, but I want to give as much info as I can, in the hope that I can actually get pfSense to work, and therefore keep using it, rather than looking for an different solution…
I have a standard UK ipstream ADSLMax broadband connection, which gives me a static public ip. I also have a routed /29 subnet 78.141.x.x which I use for publishing webservers, my RequestTracker ticketing system, etc. Currently, I'm using a ZyXel P661 ADSL router to both connect me to the internet and do 1:1 NAT and firewalling. It was very simple to implement and does a very good job, but it's getting a bit overloaded and consequently performance is suffering.
So I thought I'd give pfSense a try. I went and bought a Draytek 120 modem to convert my PPPoA connection to PPPoE, built a pfSense box, hooked it up to the WAN port, ran through the setup wizard and bingo !! Internet access was up.
Now, I don't need my firewall to do any fancy failover or load balancing. All I need it to do is just allow my LAN full outbound access to the internet, publish my internal web servers using 1:1 or port forwarding NAT, and create a DMZ for my workshop, so that virus-riddled machines that come in for a rebuild don't infect the rest of my network.
Now the internet access bit is done, the DMZ seems pretty simple, but publishing my servers seems nigh on impossible. This is what I've tried so far:
Created the following firewall rule to allow inbound on port 80 to one of the webservers from ANY source.
TCP * * Webserver 80 (HTTP) *
Created individual PARP VIP's with a mask of /32
Created 1:1 NAT for 78.141.x.x /32 to 192.168.x.x /32
Now as far as I can tell, that's should be pretty much all I need to do, but it just doesn't work. I've tried creating a port forward NAT and allowing pfSense to work out the firewall rule itself, changing the type of VIP from PARP to other, changing the VIP from individual /32 addresses to a single /29 subnet (but that doesn't allow me to do 1:1 NAT as I can't choose the individual public IP that I want to use), and pretty much everything else I could think of.
Someone else suggested that tha GARP packet wasn't being issued by pfSense to tell my ISP to refresh its ARP cache, and therefore the VIP's weren't getting properly associated. The instruction from them was to use the first PARP address as the WAN address, which should force the GARP packet to be issued, but you can't do that with a PPPoE connection, as you can't choose what public IP to use.
Has anyone in the UK actually got this to work with a PPPoA connection, and if so, could you possibly post instructions on how you managed it ?
I can't believe that my little ZyXel SoHo router can manage this with no fuss, but a pfSense install is having so much trouble with it !!
Thanks very much,
Sorry all, got it fixed myself. Did two things - changed the PARP IP's to single ip's, but each one with a mask of /29 and also refreshed my webserver arp cache so that it wasn't still trying to use the old router as its gateway.
Knew that I'd get there in the end !!