Filtering Bridge to OPT1: Non-primary IP addresses invisible to pfSense
-
Snapshot 10/5/07 embedded
I'm using Filtering Bridge WAN to OPT1. (And NAT WAN to LAN)
Everything works fine except that hosts on OPT1 with multiple IP addresses on a single Eth int (Windows 2000) have their "additional" IP addresses totally ignored by pfSense - which I presume is routing on Mac address only.
I tried adding the additional IP addresses as a Virtual IP (tried on the LAN int and on the OPT1 int) to no avail. Messed with explicit rules. Considered a Static Route. Nothing worked - it's as if those addresses are totally invisible to pfS, no corresponding entries occur in the firewall log, no traffic is passed.
Any workarounds?
[In case I was not clear enough as to what I mean by additional IP addresses, I mean:
Subnet is 209.xxx.xxx.184 /29
pfS WAN IP is 209.xxx.xxx.190
Host on OPT1 is 209.xxx.xxx.188 and that same interface has the additional IP of 209.xxx.xxx.186.
209.xxx.xxx.188 is (with appropriate rules) pingable, fully filterable.
209.xxx.xxx.186 is completely invisible, no bridge is ever established, nothing appears in logs] -
You can use as many IP's as you want on your OPT1 hosts, I've had deployments exactly as you describe and they work fine. You do not want it as a VIP since that IP is directly assigned on a system. That will likely break it, take that out.
What do you mean by "totally ignored"? What are you trying to do that doesn't work?
-
@cmb:
You can use as many IP's as you want on your OPT1 hosts, I've had deployments exactly as you describe and they work fine. You do not want it as a VIP since that IP is directly assigned on a system. That will likely break it, take that out.
What do you mean by "totally ignored"? What are you trying to do that doesn't work?
The VIP was only temporary in an attempt to make it work. Forget I ever mentioned it.
Quite simply, I have no access whatsoever from the WAN to those IP addresses on the (Filtered Bridge) OPT1 interface that are not the primary IP address on the host's Ethernet interface. Rules to the primary IP work perfectly; no rules to additional IPs (pass or deny, port or any) have any effect whatsoever, nor is there any corresponding entry in the log. It's as if the IP addresses were totally invisible to pfS.