4. Virtual IP's not responding as expected

Virtual IP's not responding as expected

  • E

    I'm having some issues here with getting Virtual IP's and NAT to work properly. First off, I'm running this on a VM on an ESX Server if that may be factor. I have activated promiscuous mode on the port group associated with the pfSense WAN interface.

    The physical:
    ESX Server connected to a switch using VLAN trunking with VLAN 100 designated as the external interface. One port on the switch is set to mode access vlan 100 and connected to the local network switch to provide external connectivity.

    The soft:
    The configuration is pfSense connected to a local network (the pfSense WAN interface) via a portgroup attached to VLAN 100 with the VLAN tagging managed by ESX so that pfSense doesn't do anything with regards to VLAN tagging.

    Local network 10.x.x.x/24
    pfSense IP 10.x.x.99

    There are 4 separate VLANs/Subnets attached to the pfSense VM.

    For the moment my firewall rules are any/any for testing purposes and will be locked down later.

    Currently the IP associated with the WAN interface of pfSense (local network) is pingable from both the local network and VMs in the subnets behind pfSense.

    I have declared a Virtual IP (10.x.x.98/32) set to Other. There is a NAT 1:1 mapping this Virtual IP to the address 192.168.101.10. The current state of affairs is that pfSense is correctly handling internal routing on the local subnets, but the machine attached to the Virtual IP can't go out on the WAN interface.

    However, any of the machines that do not have a NAT connection configured can go out via the WAN interface using the pfSense IP address. This works whether I use automatic or manual Outbound NAT.

    Notably, I do not see the 10.x.x.98 Virtual IP listed in the ARP table.

    Any ideas why this NAT connection is not working?

    0
  • M

    Did you ever solve this? I'm having the same/similar problem.

    0
  • Rebel Alliance Developer Netgate

    An "other" type VIP does not do ARP. For that you need CARP or Proxy ARP (or an IP alias on 2.0).

    Also if you are doing CARP/clustering, check the doc wiki for ESX config options you need to set for it to work properly.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy