Issue forwarding ports on different interfaces



  • I have a pfsense 2.0 rc3 box with 3 public IP/WAN interfaces with addresses x.x.x.9, 10, 11 and a single LAN/Internal interface. I wanted to use x.x.x.11 to SSH into a "jump box", however I can only get the port to fwding to work if I choose x.x.x.9 as the the public interface for the NAT. Interfaces 10 & 11 refuse to work for any port fwding.

    So in short port fwding works on only one of my public interfaces.  I have only been using pfsense for a 3 months and still learning so I hope this is something simple that I missing.

    thanks for any help.



  • Are you using proxy arp vips? try to change carp vips and then it should work


  • Rebel Alliance Developer Netgate

    It sounds like you somehow assigned multiple interfaces (fake vlans maybe?) instead of using a single WAN IP and Virtual IPs. If you use Virtual IPs, it should work. The type you need depends on how they are delivered to you, but if they are in the same subnet as WAN, CARP should work fine.



  • I'll have to go and check what is what with CARP. Not even sure what that is.  ;D

    At installation I only set up the first public interface and internal and then activated the others about 2 days go. After added interfaces is there something that I should have done besides assigning the IP addresses?


  • Rebel Alliance Developer Netgate

    Adding additional interfaces is the problem - whether they are real or virtual, you don't need them - you only have one WAN with multiple IPs on that one WAN - you don't use one interface per IP.

    You use a single WAN, and add Virtual IPs there in order to use your additional IPs.



  • So just remove the interfaces and then add virtual IPs to the same wan interface?

    Was hoping to add a whitelist via block IP to the IP that I want to use for SSH, that was I can just avoid all the SSH attacks.  Still possible?


  • Rebel Alliance Developer Netgate

    Essentially, yes.

    And you can still block/filter by IP with Virtual IPs.



  • OK, so there are no options to assign IP address by DHCP for the virutal IPs. You have to assign the addresses via DHCO for AT&T uverse. ;-(

    So what now?


  • Rebel Alliance Developer Netgate

    Search the forum for CARP and uverse. Last I knew DHCP was not required.



  • OK, will do.

    I currently can't statically set the IP addresses, I have to go into the uverse gateway and select what interface gets what IP and then run dhclient for the IP to be renewed on the interface.



  • @jimp:

    Search the forum for CARP and uverse. Last I knew DHCP was not required.

    Will try this….

    http://forum.pfsense.org/index.php/topic,28184.0.html

    UPDATE: Worked like a charm! That totally bypassed Uverse's dumb config at the gateway.



  • @jimp:

    Adding additional interfaces is the problem - whether they are real or virtual, you don't need them - you only have one WAN with multiple IPs on that one WAN - you don't use one interface per IP.

    You use a single WAN, and add Virtual IPs there in order to use your additional IPs.

    What is the difference between CARP and Alias IP? I am not doing any clustering so from what I read the Alias IP makes more sense?

    http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F


  • Rebel Alliance Developer Netgate

    CARP VIPs get a unique MAC for each IP, IP alias are all shared on the main interface's MAC. Your ISP equipment may require a unique MAC per IP.



  • OK, I spoke too soon.

    When I add the CARP interfaces it shows up in the u-verse gateway, but clearly get marked as statically assigned and are forced behind the u-verse gateway's firewall making them useless. Didn't notice that before, and I had to reset the u-verse gw to get back to square one again.

    Is there a specific method/trick to setting up these CARP addresses?


  • Rebel Alliance Developer Netgate

    once they appear in the uverse gateway, you can flip a bit in the uverse router to disable the firewall on those IPs individually. It's just how the uverse router works, and I'm quite certain that's been covered elsewhere on the forum.



  • @jimp:

    once they appear in the uverse gateway, you can flip a bit in the uverse router to disable the firewall on those IPs individually. It's just how the uverse router works, and I'm quite certain that's been covered elsewhere on the forum.

    After the reset I was having some trouble getting the CARP interfaces to show up. Some forum member by name jimp had a bright idea to ping the VIPS and they would should up in the u-vserse gateway.

    http://forum.pfsense.org/index.php/topic,31167.0.html

    All looks well so far, as long as I learn then these little struggles are worth it.  ;D


Locked