How to do Port Forwarding with Vitual IP's

sunny chowdhry

Hi,

I am newbe to PFsense. I recently configured by pfsense with PPOE wan connection, and it does port forwarding for server which is located in the LAN.  The mail server IP address is a virtual IP. This setup works fine. I planned to change my setup by making my adsl2 modem/router (Netgear) to initiate the PPOE connection and the link between the modem and Pfsense is another set of real IP address. Now the internet for the LAN is working fine, but the portforwarding is not working at all, as the modem router does not know anything about virtual ip's which are configured on pfsense. Hence in order for the pfsense to get anything about the virtual ip's the modem has to send anything which it receives on the virtual IP's to pfsense. I tried to configure some static routes on the modem/router to send everything on the modem router to pfsense. But it still does not work.

Setup 1
                            virtual IP                          Port forwarding 
Internet–>modem<------------pfsense(PPOE)<------------------->LAN

This setup works fine

Setup2

(PPOE connection)              virtual IP                      port forwarding
Internet-->modem/router(netgear)--------------------pfsense<------------------>LAN

This setup does not work for virtual IP

Any help will be much appreciated

Thank you

Sunny

hoba

What kind of VitrualIP did you use? CARP or proxyARP should work as these kind of VIPs generate Layer2 messages. Are the VIPs in the same subnet like the WAN subnet?

sunny chowdhry

Hi Hoba,

The virtual IP are normal layer3 IP. They are not defined either as CARP or Proxy ARP.  The virutal IP and all belong to different subnet..

For example
                                    (Virtual IP with PPOE parameters configured on PFSENSE)
                                              200.100.2.10/32
                                              200.100.3.10/32
wanip(200.100.1.10)–-----        200.100.4.10/32 ----------------LAN

In this setup where Pfsense initiates the connection, these virtual IP work fine to do the port forwarding to LAN.

But when I cange the setup to

Management IP on                    Pfsence WAN interface
Netgear(Modem/Router)                    Netgear                                IP (STATIC)           
200.100.1.10----------------------200.100.3.10-------------------200.100.3.11      + Same Virtual IP as above-------------LAN   
                                                                                                                          with same Port forw. rules

With this setup the LAN traffic is able to go out and in as usual. But none of my port forwarding rules works.
As far I know there must be some kind of routing problem, between the Netgear(modem/router) and Pfsense. (I made the netgear(modem/router) to act as router for this setup.)

Any suggestion on what to be done to make this setup work will be very helpfull

hoba

@sunny:

…
                                    (Virtual IP with PPOE parameters configured on PFSENSE)
                                              200.100.2.10/32
                                              200.100.3.10/32
wanip(200.100.1.10)-------        200.100.3.10/32 ----------------LAN

...
                                            Management IP on                    Pfsence WAN interface
Netgear(Modem/Router)                    Netgear                                IP (STATIC)           
200.100.1.10----------------------200.100.3.10-------------------200.100.3.11      + Same Virtual IP as above-------------LAN   
                                                                                                                          with same Port forw. rules
...

What do you mean with Virtual IPs with PPPoE? What kind of Virtual IPs did you use or how did you generate them?

I also don't understand the second scenario. Why are you making things more complex and add additional points of failure if the first configuration is working?

jeroen234

you say that you did not chanche the rules on pfsense on senario 1 and 2
so then senario 2 is broken

on senario 1 you use 200.100.3.10/32 as a vip
on senario 2 you use that ip for the lan site of the netgear router

sunny chowdhry

Clarification

1. The virtual IP are Layer 3 IP's (they are not CARP or ProxyARP form)

2. Virtual IP with PPoE is referred to as configured VIP on Pfsense and pfsense WAN interface is configured as PPoE type. ( Sorry if I was not clear)

3. The purpose of creating the scenario 2 is, when I use PPoE as WAN interface on PFsense the internet connection is very slow and when I start ntop on the WAN interface, the WAN interface is turned off and on… This downtime is longer than what I have imagined (4 to 5 min)

4. In scenario 1 PPoE connection parameters (username and password) are configured on the pfsense WAN interface. But in scenario 2 the PPoE is initiated by the Netgear Modem (username and password are configured on the modem). and I have the link form Netgear modem to Pfsense(WAN Interface). This link is configured on 200.100.3.10/30 network. That is modem Management IP 200.100.3.11 and Pfsense WAN IP (STATIC) 200.100.3.12.

5. This setup brings stability on my wan interface... and when I run ntop, the down time is reduced to 1 sec..or less. This is the reason I want to make the second setup work.