XEN : pfSense VM, PING works on internal network, nothing else
today is my first post about an issue i have been struggling around for quite a long time. i'm running an xen virtualized environment which serves different services for our family run business, for instance a groupware an a web server. beneath all those mostly debian based virtual machines, works a Debian 6 Dom0 with xen 4.0.1. this has been working for quite a long time. there is a dmz called bridge where most of the vms are connected trough each other. those machines, which need access from the internet also have a secondary interface with a dedicated ip address. the problem is, that a) every machine, which is connected to the outside world needs his own firewall (iptables) and b) the firewall which serves the machine acting as a gateway for the dmz vms has become very complex and fairly hard to maintain.
what i've been trying is to setup a new gateway vm based on pfsense which handles all the firewall for the internal network as well as forwards specific traffic to dedicated machines.
so far, i've put up a network configuration which has two bridges, on called 'vibr_external' where all available ip addresses get routed through and a second one called 'vibr_internal' where alle vm's connect to.
auto lo iface lo inet loopback iface lo inet6 loopback auto eth0 iface eth0 inet static address A.B.C.243 netmask 255.255.255.255 pointopoint A.B.C.225 gateway A.B.C.225 auto virbr_external iface virbr_external inet static address A.B.C.243 netmask 255.255.255.255 bridge_ports none bridge_stp off bridge_fd 0 bridge_maxwait 0 up route add -host A.B.D.200 dev virbr_external up route add -host A.B.D.201 dev virbr_external up route add -host A.B.D.202 dev virbr_external up route add -host A.B.D.203 dev virbr_external up route add -host A.B.D.204 dev virbr_external up route add -host A.B.D.205 dev virbr_external up route add -host A.B.D.206 dev virbr_external up route add -host A.B.D.207 dev virbr_external auto virbr_internal iface virbr_internal inet6 manual bridge_ports none bridge_stp off bridge_fd 0
the pfSense vm is up and running so for which means, that i can access the internet FROM the pfSense machine (ping, ntp, download and install packages). what doesn't work is traffic from the internal network except ping. from the internal network i am able to successfully ping devices on the internet, do a dns name lookup but as soon as it comes to e.g. http download i get timeouts.
root@db:~# ping www.google.de PING www.google.de (18.104.22.168) 56(84) bytes of data. 64 bytes from fra02s19-in-f31.1e100.net (22.214.171.124): icmp_req=1 ttl=54 time=6.18 ms 64 bytes from fra02s19-in-f31.1e100.net (126.96.36.199): icmp_req=2 ttl=54 time=6.17 ms root@db:~# wget http://speedtest.qsc.de/1MB.qsc --2013-12-06 20:12:02-- http://speedtest.qsc.de/1MB.qsc Resolving speedtest.qsc.de... 188.8.131.52 Connecting to speedtest.qsc.de|184.108.40.206|:80... connected. HTTP request sent, awaiting response... No data received. Retrying.
the pfSense vm is configured to this :
WAN -> xn0 -> v4 : A.B.D.200/16 LAN -> xn1 -> v4 : 10.2.7.1/24
hopefully someone is able to provide some hints to resolve this issue?
thanks in advance
WAN -> xn0 -> v4 : A.B.D.200/16
LAN -> xn1 -> v4 : 10.2.7.1/24
is this correct.. you have a public /16?? Or is that private address space..
What are you lan firewall rules, is the default any any or did you tweak it?
thanks for the quick reply.
i got one ip adress from my isp (A.B.9.243) and a small subnet. the traffic from the subnet needs to be routed through this single ip address as getway.
since the gateway ip that has to be used is in another network (A.B.9.243) then the ips from the subnet (e.g. A.B.219.200) i had no choice as to use /16 as network mask. otherwise i wouldn't be able to put in the gateway during setup.
i just did a fresh install of pfsense, no tweaks no extra rules. just made the setup, configured the two devices and that's it.
What? Never heard of such a thing.
So you saying they gave you say a A.B.219.192/28 – so your IPs would be say A.B.200.193 to A.B.219.206
And told you to use a A.B.9.243 as your gateway?? Really?? Normally if they gave you say the above A.B.219.192/28 either .193 or .206 in that range would be the gateway.
Your going to have all kinds of issues putting an invalid mask on your internet IP. I would double check with your ISP on how to properly setup your internet ip space. Did they maybe route your /28 to you - or whatever this small subnet they gave you.. In that case quite often they give you a smaller network say a /30 then you could put your /28 or /29 behind that, etc.
from my isp i got one single ip A.B.1.243/27 and a subnet A.B.219.200 / 29 with a usable range from A.B.219.201 - 206. for this subnet, i have to use the single ip (A.B.1.243) as gateway.
all current domUs which use the "old" scenario are configured "this way".
And what ISP is that – that is BROKE!! Your pointing to a gateway outside your network? Broke.. You must be missing some info. As you saw the OS told you it was BROKE when you tried to do it ;)
So now your changing your mask and setting the wan IP to the network WAN -> xn0 -> v4 : A.B.D.200/16, you said yourself useable IPs are 201 to 206 where 207 would be the broadcast. So why are you using the wire address of 200?
What is this
iface eth0 inet static
Your setting up a point to point.. So your A.B.219.200 / 29 is routed to your IP? Makes more sense.. You don't put that network on the same interface. You put your network on another interface on your router. And your internet connection is a pointtopoint connection. You then send traffic that is not on your network, ie the internet down the pointtopoint connection.
Again - YOU DO NOT point to gateway outside your network, and you sure and the hell do not change the mask to allow to point to the gateway..
Requirements for Internet Gateways
A gateway is connected to two or more networks, appearing to each of these networks as a connected host. Thus, it has a physical interface and an IP address on each of the connected networks.
I really suggest you contact your ISP on how to setup your connection because you DONT point to a an IP outside your network as the gateway
jimp Rebel Alliance Developer Netgate
It's not common, but is technically functional. It's definitely ugly, but some datacenters and ISPs are forcing it as IPv4 dries up.
thanks to jimp who "confirmed" my setup.
i did a reset to factory defaults to my pfSense vm and made the configuration according to Alain Spineux blog post (http://blog.magiksys.net/pfsense-firewall-default-gateway-different-subnet) which means :
- during the console based setup the wan interface xn0 i set to one of the useable ips (A.B.219.201/24)
- then, at the command line, i invoked setting the route by :
route add -net A.B.1.243/32 -iface xn0
route add default A.B.1.243
- at this time, ping from the command line worked
- as mentioned by Alain, to allow the firewall to reply to ARP requests for subnet ip addresses on the WAN interfaces, i added a proxy ARP entry (A.B.219.200/29)
- then i masqueraded the source address by setting nat to manual and added one rule to rewrite to the IP used for xn0 (A.B.219.201)
Fireall : NAT: outbound WAN | 10.2.7.0/24 | * | * | * | A.B.219.201/32 | * | NO
unfortunately, it doesn't work :-( invoking an wget command from the internal lan timeouts an results in these two log entries :
LAN | 10.2.7.2:40345 | 10.2.7.1:53 | UDP LAN | 10.2.7.2:34987 | 220.127.116.11:80 | TCP:S LAN | 10.2.7.2:34988 | 18.104.22.168:80 | TCP:S
any suggestions ?
I had that happen to me. Ended up using wireshark capture to figure out what was going on. The bridges on Xen host seemed to be blocking all traffic. Ended up using iptables to allow traffic on bridge.