CARP and VIP's NOT working



  • I'm using pfsense 1.2-BETA-1, I have several Public IP's start from xxx.xxx.xxx.42 to xxx.xxx.xxx.46 with subnet 255.255.255.248. The pfsense box is using IP address xxx.xxx.xxx.43 and I assigned the rest of the IP's (44-46) to several server and I'm place them in my DMZ. So I assign some VIP's with the following configuration:

    pfbox :
    WAN

    • IP : xxx.xxx.xxx.43/29

    • Gateway : xxx.xxx.xxx.41

    • DNS 1 : 202.133.3.237

    • DNS 2 : 202.133.3.7

    LAN

    • IP : 192.168.0.254/24

    DMZ (OPT1)

    • IP : 172.16.0.1/24

    VIP #1
    Type CARP
    Interface WAN
    Address xxx.xxx.xxx.44/29
    VIP pass xxxxxxxx
    VHID group 1
    Advertising Frequency 0
    Description : win server

    win server

    • IP : 172.16.0.2

    • Subnet : 255.255.255.0

    • Gateway : 172.16.0.1

    NAT 1:1

    • Interface : WAN

    • External subnet : xxx.xxx.xxx.44/32 (I can't use external subnet xxx.xxx.xxx.44/29, the pfbox will complaint !  ???)

    • Internal subnet : 172.16.0.2/24

    and after that I can't connect to the server and I got A LOT of hit in the firewall log to the IP xxx.xxx.xxx.43(the pfbox IP), I wonder what's wrong, is it the NAT or the VIP or there's something that I missed ?

    any hint would be helpfull



  • do you have firewall-rules on your WAN in place that allow traffic to you Server?



  • @rexsrexs:

    NAT 1:1

    • Interface : WAN

    • External subnet : xxx.xxx.xxx.44/32 (I can't use external subnet xxx.xxx.xxx.44/29, the pfbox will complaint !  ???)

    • Internal subnet : 172.16.0.2/24

    From the 1:1 Nat Screen:
    The subnet size specified for the external subnet also applies to the internal subnet (they have to be the same).
    You are making a 1-1, so both subnets should be /32 (A single address)



  • I can't make the CARP type VIP with subnet xxx.xxx.xxx.44/32 the pfbox will also complaint, it said

    Sorry, we could not locate an interface with a matching subnet for 202.133.1.44/32. Please add an ip in this subnet on a real interface.

    and I dont have any firewall rules in the WAN interface that either block or allow the traffic, ony more hints please ? :-[



  • if you dont have a rule everything is blocked by default



  • Now I'm placing a rule in the firewall to allow traffic from WAN to xxx.xxx.xxx.44 (the VIP) but I still can't connect to the server, is there any rule that I should add?  :-[



  • @rexsrexs:

    I can't make the CARP type VIP with subnet xxx.xxx.xxx.44/32 the pfbox will also complaint, it said

    Sorry, we could not locate an interface with a matching subnet for 202.133.1.44/32. Please add an ip in this subnet on a real interface.

    If you are using a CARP VIP, the subnet mask of the VIP should match the subnet mask of the Interface (/29 in your case). The 1-1 NAT should still be a /32 to match one internal and one external address.


Log in to reply