Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VIP(IP alias) able to ping on TMG but unable on the pfSense

    HA/CARP/VIPs
    2
    4
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bruceus
      last edited by

      Hi.
      At first let me explain the environment I have over here. (TMG = Microsoft Threat Management Gateway)

      ISP router –- SWITCH --- TMG
                            |
                         pfSense

      ISP gave us two IP scopes:

      1. public IP addresses (195.x.x.216 /29) from the scope where also IP address of the default gateway (ISP router) resides:
      • 195.x.x.217 (gw)
      • 195.x.x.218 - 222 (usable IPs)
      • 195.x.x.223 (broadcast)
      1. public IP addresses (84.x.x.104 /29) which has no default gateway
      • 84.x.x.105 - 84.x.x.110 (usable IPs)
      • 84.x.x.111 (broadcast)

      If I'd like to publish a web server on the Microsoft TMG, the steps include assigning to the External (aka WAN) interface (main IP is from 1st scope - 195.x.x.222) additional IP from the 2nd IP address scope (84.x.x.105) and publish server through listener on that IP address. The main point over here is that I am able to ping IP address from the Internet.

      I connected to the switch pfSense and setup the WAN interface with the main IP address from 1st scope (195.x.x.219) and VIP from 2nd scope (84.x.x.110). For the debugging purposes I disabled firewall (automatically NAT as well).

      In summary...
      TMG: WAN interface -> 1 IP from 1st scope, 1 IP from 2nd scope
      pfSense: WAN interface -> 1 IP from 1st scope, 1 IP from 2nd scope

      Now the testing...
      PING from the TMG to the pfSense VIP address ..... WORKS.
      PING from the Internet to the pfSense main IP address ..... WORKS.
      PING from the Internet to the pfSense VIP address ..... FAILED.
      PING from the Internet to the TMG VIP address ..... WORKS.

      Of course I was trying at first to publish the web server using VIP, NAT 1:1, FW rules according other posts in the forum. With no success.

      What am I doing wrong and how would I setup pfSense correctly so I can successfully ping its VIP address?
      Is the issue at my site or at the ISP site?

      Michal

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        What kind of VIP are you using?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • B
          bruceus
          last edited by

          @GruensFroeschli:

          What kind of VIP are you using?

          I am using IP Alias.

          1 Reply Last reply Reply Quote 0
          • B
            bruceus
            last edited by

            There is not any mention about need of having IP addresses from the same subnet regarding IP Alias in the documentation (http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F).

            Any ideas if I did something wrong or the mistake sits at the provider side? Or does somebody have an answer to question how am I able to alternate configuration so the publishing of the servers on the public IP addresses from the other subnet could work?

            Michal

            1 Reply Last reply Reply Quote 0
            • First post
              Last post