Multiple WAN subnets on one WAN interface (pfSense 2.0)
I am having a hard time (understandably) finding good examples and documentation for pfSense 2.0, hence my post.
I have a provider handing me serial IP's (/30) which I've assigned to the WAN of my pfSense box.
I have two LAN's connected (a 10.x and a 172.x network).
Looking through the known descriptions of VIP's, I should "want" to use a Proxy ARP address to use the /29 my ISP assigned to me (which route via the /30 on their serial IP's). Since these are on different subnets WAN IP's, Proxy ARP seemed like the proper choice).
I have never been able to pass on NAT forwards from the VIP address(es) to the LAN2, getting blocked by a default deny rule, which I don't think it should be hitting.
Has anyone ever done this before?
Yes, that is a very common setup, and works properly if you have the NAT and firewall rules setup properly.
VIPs could use Proxy ARP or "Other" - if the /29 is actually routed to your WAN IP in the /30, then the "Other" type is preferred.
The port forwards should have the proper VIP picked for the External address
The firewall rules should specify the LAN IP of the port forward as the destination address, and not the Virtual IP.
If that doesn't help, we will need screencaps of your Virtual IP screens, NAT port forward list, and firewall rules on the WAN.
When I choose "other" I get…
Warning: Illegal offset type in isset or empty in /etc/inc/interfaces.inc on line 812 Warning: Cannot modify header information - headers already sent by (output started at /etc/inc/interfaces.inc:812) in /usr/local/www/firewall_virtual_ip_edit.php on line 221
I go back and reapply and it does.
When I choose a subnet, i only get 5 ip addresses, not 6, so I added a single IP address. I do a port forward accordingly. The port forward is for another (LAN2) network which seems to work fine (except for the NAT forward).
The two errors you describe are bugs in the GUI and I thought they were both corrected recently. Are you on a newer snapshot?
built on Mon May 17 07:25:39 EDT 2010
I can get around the bug, the problem is I cannot use alias ip's on my wan interface.
Update to a current snapshot and try again, at least to June 10 but ideally as new as possible.