Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to ping VIP from pfsense web-gui

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    4 Posts 2 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      brcisna
      last edited by

      Hello All,

      My first install of pfsense.  1.2.3 –
      Delt with several firewall scenario's though, over years FYI.
      Created 6 VIPs to use as lan> wan public port forwards.
      Read through all of the how to's here and simply can not ping the VIP from the pfsense web-gui via the ,diagnostics-ping interface. I can ping the actual nic public ip here FYI.
      I have tried adding the VIP address to allowed traffic in the firewall rules but I m sure i am missing something.
      Edit: I created the VIP's as both 'other" and "Proxy-ARP" type and can not ping  either.
      Also can not ping any of the VIP's from sshing into the pfsense as well.
      here is what i am wanting to accomplish:

      mail server inside pfsense 172.28.8.55
      actual nic public ip xxx.xxx.xxx.66
      VIP address            xxx.xxx.xxx.68

      How do i forward the mail server ip address to the VIP/.68 ( port 143)to go out to the world for Webmail?
      As said,I can not even ping the VIP from pfsense web-gui?

      Thanks,
      Barry

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Only CARP type VIPs are pingable.
        Are you sure you've set the subnet of the VIP correctly?

        Did you try to ping the VIP from another computer?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • B
          brcisna
          last edited by

          Gruens,

          Thanks for the feedback.
          When you say " Set the correct subnet",,You lost me.
          I simply added the VIP as 'other" and also changed to Proxy-ARP. with no luck
          Is this were I need to do a 1:1 Nat for the VIP,to 'bind' it to the WAN ip for example?
          Were do I add subnet ? Don't remember seeing that option.
          In past firewalls I always "assumed" the VIP's( public allocated by ISP) were bound to the wan address,to put it simply?
          I also setup two of the created VIP's to be 'pingable' by adding them the same as you add the wan address in the firewall rules to be ICMP echo capable,for diagnostics. Still no ping responses.
          Also, I am not using any sort of CARP stuff so that is not in the picture,FYI.

          Could you please give me a
          1.
          2.
          3.
          setup?

          Is there a way I should be able to do a traceroute from sshing into the pfsense box to my VIP address and hit it this way?
          Also should I ever be able to see the VIP in the ifconfig command? AKA: ifconfig -a
          Strange thing is when I set this up a few days ago, and had what i though was right for port forwards for the mail server I could access the WEBMAIL from NXing to my home PC from work and could in fact see/use the webmail ,,about 30 mins later it had quit. Could also telnet from remote/home pc to VIP address/pfsense  port 143.
          I didn't change a thing either,. As I said this is my first setup of pfsense,so things seem kinda cryptic to me in lots of things related to the setup.
          As long as I have delt with this stuff, I feel like I have never been around this,,:-)

          Regards,
          Barry

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            If you are not using CARP type VIPs, then the IPs will not be pingable.
            Look at the wiki-page to VIPs for more information.

            You dont need to do anything (like creating a 1:1 forward) for the VIP to function.
            The VIP will bind to the interface on which you create it –> Not necessarily on WAN.

            You set the subnet on the same page on which you create the VIP.

            You can use CARP-VIPs even if you dont need CARP functionality.

            If you set up a VIP (any type) and forward stuff from it  (and allow it with firewall rules) to a server behind it should just work.
            I'm not sure i understood what your problem was.
            Did you test from the outside? Did you try to access it from within your LAN?
            Did you look at the pfSense wiki ( http://doc.pfsense.org )?
            There are quite a few howtos.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.