2.0-RC3 1:1 Nat with Virtual IPs

  • I have a setup working fine with pfsense 1.2.3 with 1:1 NAT and a number of virtual IP's set from my pool of a /28 from my provider.

    I have defined the virtual IP's under 2.0-RC3 and setup 1:1 NAT pointing at internal IP's for the 1:1. After doing this none of the machines defined in 1:1 NAT can send or receive traffic in or out of the network. Am I missing a step under 2.0 that changed since 1.2.3? Does anyone have 1:1 working for them under 2.0? I have checked and rechecked the options under System..Advanced…Firewall/Nat none of them seem to make any changes that allow my 1:1 machines to work.

  • I'm pretty sure you are going to need to setup port forwarding if you want traffic going to those VIPs and that will then setup WAN rules for accessing those VIPs.
    I have four external to 4 internal with destination of * for each.

  • So if that is the case, how will I do an upgrade from 1.2.3 to 2.0? Will the upgrade make these new rules that I dont have on my current working install of 1.2.3? I do not have any port forwards for any of my 1:1 Virtual IPs only firewall rules.

  • That is interesting, because I had 1.2.3 running for almost a year with port forwarding to my 1:1 VIPs.  Do you have both pfSense boxes on same network right now and on at same time?  What is your setup for having these boxes accessing the WAN subnet?
    I tried once to have both systems hooked up to a small switch that was plugged into our T1 router and found out that is not doable; you have to have a unique gateway for each firewall if they are both connected to the same LAN subnet.  That would be like setting up fail over for your internet; they way I setup my 2.0 box was by assigning it a LAN address and only having a live cable going to that ethx and leaving the others disconnected.  Then I went through and mirrored my settings, and finally moved all my cables over to the new 2.0 system.

  • 1:1 is fine, your existing rules will be upgraded to the new format for 2.0's 1:1 (which allows additional capabilities not previously present, but will work the same). It sounds like it's working fine but your VIPs aren't. Sounds like either you have an upstream ARP cache preventing that from working, or have the wrong type of VIP (don't use type Other in this case, any of the other types will work). If you're swapping out hardware between 1.2.3 and 2.0, you must clear your upstream ARP cache (or wait hours for it to timeout). If your upstream router is on premise, just power cycle it. Otherwise you may have to call your ISP.

Log in to reply