Re: Public Subnet in LAN - not working.



  • Actually I'm currently wrestling with this same issue, I would like to have an OPT LAN subnet(separated by VLAN tags) with public addresses and no need for separate NATting. I tried bridging the interfaces but the results were pretty shabby(name resolution took ages, ping was succesful sporadically at best etc.). We had a similar configuration at my last working place with pfSense 1.2.3 but now that we are using 2.0RC1 I can't seem to get it to work the way it used to be.

    Plus, is it possible to use CARP VIP as a gateway with this kind of configuration? I have made it so far that I can ping both firewall IP:s in the LAN with public addresses but the VIP isn't reachable at all from the subnet(but is available from other subnets).



  • Some more detailed info about our setup:

    We have two pfSense boxes with CARP setup facing the internet. WAN is on em0 and has a xxx.xxx.xxx.xxx/25 network.

    Behind this firewall setup we have a mixture of networks consisting of LAN on em2 which is used as the management interface and nothing else, a few OPTX networks separated by VLAN tags also on em2 that are used as "people" networks, internal server networks, WLAN etc., em1 is dedicated for CARP syncing.

    We would like to have the following setup with DMZ and PUBLIC networks, separated by VLAN tags also on em2 interface:

    DMZ as a "normal" private network to which we could create NAT port forwardings as needed, mostly development servers etc., basically no problem here.

    PUBLIC network as a network which would have its public address space from WAN, but with a /26 netmask, without the need to use virtual IP's or NAT and the ability to use the pfSense setup as a gateway, DNS server etc. which I think seems to rule out the possibility of bridging the interface.

    We have tried to bridge the interfaces but the problem seems to be the aforementioned routing to other networks behind the pfSense-setup. In addition, bridging the WAN and PUBLIC interfaces made access to internet extremely unstable on all internal networks. Also seems we can't use a CARP VIP as a gateway address on this network, it just doesn't answer to anything from within the network.

    Am I making any sense here? As I said in the previous message, we have had a similar setup with 1.2.3 but with 2.0RC1 we just can't seem to get it to work at all. I would at least like to know if we are on a totally wrong track here.



  • Don't bridge in that setup, you'll want to have the public IP subnet behind the firewall routed to a WAN-side CARP IP, configure the internal OPT interface as the VLAN with one of the IPs within the public subnet, use a CARP IP for the gateway if you want CARP now or in the future, and manually configure outbound NAT accordingly to NAT only the private IPs.



  • Thanks for your answer, I indeed was missing the route for the subnet. Now I've got the subnet working otherwise, but I just can't get a connection to the CARP gateway VIP, everything works fine if I use either node's IP address as a gateway but the CARP VIP just isn't responding to anything. I can ping the address from outside or from another subnet but from inside the subnet the VIP doesn't seem to exist.



  • That sounds like a layer 2 issue, something not permitting two MACs on one port (on a physical or virtual switch if it's a VM).



  • The pfsense boxes are physical, the servers in the subnet are VMWare virtual machines.


Locked