Ping to Virtual IP from Internet?
-
Hi all!.
Simple Question:
If I Set a Virtual IP and add new firewall rule to permit in wan interface protocol icmp to pass.
Can i ping that Virtual IP from Internet? ??? -
That depends on the type of VIP. You can ping a CARP IP directly. If you choose PROXY ARP you need to redirect the ICMP protocol to another machine that then can respond the ping. Same for type OTHER. If you use PROXY ARP or OTHER make sure you then allow ICMP to the redirected machine, not the public VIP. First NAT is processed, then firewallrules are applied!
-
Hi, Hoba!
I undertand you, but let me explain my PF settings.
WAN Interface=200.123.160.135/28
LAN Interface=192.168.10.222/24
VIP(Other or Proxy ARP)=200.123.160.130/32Setting In Nat:1.1
Interface:WAN
External IP: 200.123.160.130/32
Internal IP: 192.168.10.158/32In Firewall Rule
Just One Rule:
Protocol: Any
Source: Any
Port: Any
Destination: Any
Port: Any
Gateway: DefaultI cant ping 200.123.160.130 from Internet. if you like, can log in into my PFSense at 200.123.160.135 to see. :)
-
Come to the IRC channel at freenode ##pfsense and I might have a look at your setup.
-
now i'm in IRC.
But where are you? :'( -
I'm usually there during central european evening and night times. I'm online atm.
-
-
I have same problem too.
WAN Interface: 203.77.230.20/29
LAN Interface: 172.16.4.252/16
VIP: 203.77.230.21 (Other)NAT 1:1
Interface: WAN
External IP: 203.77.230.21/32
Internal IP: 172.16.4.16/32NAT Advanced Outbound
Interface: WAN
Source: 172.16.4.0/24
Source Port: *
Destination: *
Destination Port: *
NAT Address: *
NAT Port: *
Static Port: NORules LAN:
Proto: *
Source: LAN net
Port: *
Destination: *
Port: *
Gateway: *Rules WAN:
Proto: ICMP
Source: *
Port: *
Destination: WAN address
Port: *
Gateway: *I'm using pfSense BETA2.
Still stuck with incoming connection from internet to my selected LAN.
My server located in the LAN, not DMZ.
I only able to open ICMP and SSH in the pfSense it self. -
Add another Rules WAN:
Proto: ICMP
Source: *
Port: *
Destination: 203.77.230.21
Port: *
Gateway: *And still won't able to ping to 172.16.4.16 from internet.
-
What do you need the advanced outbound NAT for? 1:1 nat takes care of natting the inside IP to the right external one. Also your outbound NAT rule is wrong as it doesn't have a "map to IP" specified (is that assignable this way anyway?).
- Disable advanced outbound nat again.
- Change your rule at WAN to have the internal IP of your client (172.16.4.16) (NAT is first processed and after that firewall rules are applied!)
If it doesn't work with VIP "other" use "proxy arp" or "CARP" instead (your provider then most likely needs some kind of Layer2 reply).
-
-
Recreate VIP
-
Disable advance outbound NAT
-
Recreate NAT 1:1
-
Recreate Rules at WAN
And still won't able to ping the VIP address.
Is there something wrong with my rules? ??? -
-
Well, I can Ping your VIP:
Ping output:
PING 203.77.230.21 (203.77.230.21): 56 data bytes
64 bytes from 203.77.230.21: icmp_seq=0 ttl=44 time=370.610 ms
64 bytes from 203.77.230.21: icmp_seq=1 ttl=44 time=348.927 ms
64 bytes from 203.77.230.21: icmp_seq=2 ttl=44 time=355.200 ms–- 203.77.230.21 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 348.927/358.246/370.610/9.110 ms -
sorry… the real 203.77.230.21 is my existing linux with iptables.
but i'm trying pfsense beta 2 in my lab with the real IP too, so i can switch that linux/iptables with pfsense if it's work.right now i'm using 4 machine for testing:
two as internal with IP 172.16.4.16 and 172.16.4.74
one for pfsense with LAN 172.16.4.252, WAN 203.77.230.20 (GW 203.77.230.17), VIP 203.77.230.21
the last for external with 203.77.230.17i just reset pfsense to factory default and recreate again the whole config.
but still won't able to ping VIP from external. I only able to ping WAN interface from external.
all trafic from internal to external works fine.btw, my pfsense mobo is GA-K8NSNXP-939 with 2 RJ45 onboard, one with NVidia Ethernet (nve0) and the other with Marvell 8801 Gigabit Ethernet (pfsense didn't detect this chip) and 4 additional Linksys (pfsense probe as dc0, dc1, dc2, dc3).
-
Finally… after testing on three motherboard, I can do ping and port forwarding from external to internal machine.
The main problem is in the default gateway of the internal machine. I forgot to add additional gw in the server routing table. ;D ;D ;DI will switch to pfSense immediately... thanks guys... ;) ;) ;)