Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issue forwarding ports on different interfaces

    Scheduled Pinned Locked Moved NAT
    16 Posts 3 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mejason69
      last edited by

      I have a pfsense 2.0 rc3 box with 3 public IP/WAN interfaces with addresses x.x.x.9, 10, 11 and a single LAN/Internal interface. I wanted to use x.x.x.11 to SSH into a "jump box", however I can only get the port to fwding to work if I choose x.x.x.9 as the the public interface for the NAT. Interfaces 10 & 11 refuse to work for any port fwding.

      So in short port fwding works on only one of my public interfaces. ย I have only been using pfsense for a 3 months and still learning so I hope this is something simple that I missing.

      thanks for any help.

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi
        last edited by

        Are you using proxy arp vips? try to change carp vips and then it should work

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          It sounds like you somehow assigned multiple interfaces (fake vlans maybe?) instead of using a single WAN IP and Virtual IPs. If you use Virtual IPs, it should work. The type you need depends on how they are delivered to you, but if they are in the same subnet as WAN, CARP should work fine.

          Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • M
            mejason69
            last edited by

            I'll have to go and check what is what with CARP. Not even sure what that is.ย  ;D

            At installation I only set up the first public interface and internal and then activated the others about 2 days go. After added interfaces is there something that I should have done besides assigning the IP addresses?

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              Adding additional interfaces is the problem - whether they are real or virtual, you don't need them - you only have one WAN with multiple IPs on that one WAN - you don't use one interface per IP.

              You use a single WAN, and add Virtual IPs there in order to use your additional IPs.

              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • M
                mejason69
                last edited by

                So just remove the interfaces and then add virtual IPs to the same wan interface?

                Was hoping to add a whitelist via block IP to the IP that I want to use for SSH, that was I can just avoid all the SSH attacks.ย  Still possible?

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Essentially, yes.

                  And you can still block/filter by IP with Virtual IPs.

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  1 Reply Last reply Reply Quote 0
                  • M
                    mejason69
                    last edited by

                    OK, so there are no options to assign IP address by DHCP for the virutal IPs. You have to assign the addresses via DHCO for AT&T uverse. ;-(

                    So what now?

                    1 Reply Last reply Reply Quote 0
                    • jimpJ
                      jimp Rebel Alliance Developer Netgate
                      last edited by

                      Search the forum for CARP and uverse. Last I knew DHCP was not required.

                      Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 0
                      • M
                        mejason69
                        last edited by

                        OK, will do.

                        I currently can't statically set the IP addresses, I have to go into the uverse gateway and select what interface gets what IP and then run dhclient for the IP to be renewed on the interface.

                        1 Reply Last reply Reply Quote 0
                        • M
                          mejason69
                          last edited by

                          @jimp:

                          Search the forum for CARP and uverse. Last I knew DHCP was not required.

                          Will try thisโ€ฆ.

                          http://forum.pfsense.org/index.php/topic,28184.0.html

                          UPDATE: Worked like a charm! That totally bypassed Uverse's dumb config at the gateway.

                          1 Reply Last reply Reply Quote 0
                          • M
                            mejason69
                            last edited by

                            @jimp:

                            Adding additional interfaces is the problem - whether they are real or virtual, you don't need them - you only have one WAN with multiple IPs on that one WAN - you don't use one interface per IP.

                            You use a single WAN, and add Virtual IPs there in order to use your additional IPs.

                            What is the difference between CARP and Alias IP? I am not doing any clustering so from what I read the Alias IP makes more sense?

                            http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              CARP VIPs get a unique MAC for each IP, IP alias are all shared on the main interface's MAC. Your ISP equipment may require a unique MAC per IP.

                              Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • M
                                mejason69
                                last edited by

                                OK, I spoke too soon.

                                When I add the CARP interfaces it shows up in the u-verse gateway, but clearly get marked as statically assigned and are forced behind the u-verse gateway's firewall making them useless. Didn't notice that before, and I had to reset the u-verse gw to get back to square one again.

                                Is there a specific method/trick to setting up these CARP addresses?

                                1 Reply Last reply Reply Quote 0
                                • jimpJ
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by

                                  once they appear in the uverse gateway, you can flip a bit in the uverse router to disable the firewall on those IPs individually. It's just how the uverse router works, and I'm quite certain that's been covered elsewhere on the forum.

                                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mejason69
                                    last edited by

                                    @jimp:

                                    once they appear in the uverse gateway, you can flip a bit in the uverse router to disable the firewall on those IPs individually. It's just how the uverse router works, and I'm quite certain that's been covered elsewhere on the forum.

                                    After the reset I was having some trouble getting the CARP interfaces to show up. Some forum member by name jimp had a bright idea to ping the VIPS and they would should up in the u-vserse gateway.

                                    http://forum.pfsense.org/index.php/topic,31167.0.html

                                    All looks well so far, as long as I learn then these little struggles are worth it.ย  ;D

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.