SOLVED: VIP reachable from OPT1 but not from LAN via OPT1-adress

  • Hi there,

    I'm currently setting up a new firewall with pfsense to replace the old one.

    I have the following setup:

    WAN –---------|

    fxp0 = LAN =
    ste0 = WAN =, Gateway
    ste1 = OPT1 =

    The VIP is which is nated to, where a webserver is running on port 80.

    If I'm doing "telnet 80" on a host within the OPT1 net it's getting a connection to the webserver. If I'm doing "telnet" from a host within LAN I also get a connection.
    The problem starts when I try to connect from LAN to since no data reaches the host behind I ran wireshark on it and in this case no data was received at all.

    OPT1  TCP  80(HTTP)  80(HTTP)

    Firewall rules:

    Pass  *  Lan net  *  *  *  *

    Block  *  RFC1918 networks  *  *  *  *

    Pass  TCP  *  *  80(HTTP)  *

    One more weird thing is, that if I ty to connect from LAN via the VIP, the firewall logs that the access was permitted and I can't find any log (currently logging for alle rules is enabled), which says, that the answer was blocked. Even though wireshark on doesn't log any incoming or outgoing data from or to

    From my point of view my setup should be correct. Maybe I think wrong, but that was the idea:

    "telnet 80" from 10.0.0.x:
    10.0.0.x -> -> -(dnat)-> -(snat)-> -> -> 10.0.0.x (happy)

    Since everything is happening on OPT1-adresses the WAN-Interface shouldn't be involved at all (I think of wrong routing).

    One more thing I realized was, that a traceroute from pfsense to the VIP fails.

    Maybe one of you can tell me, how I can get this done. If you need more information, just ask.


    Here's the routing table
    default UGS 0 1 1500 ste0 UH 0 8 16384 lo0
    10.0.0 link#5 UC 0 1 1500 fxp0 00:04:76:9e:83:6a UHLW 1 2985 1500 fxp0 1200
    10.0.20 link#2 UC 0 11 1500 ste1 link#2 UHLW 1 0 1500 ste1 link#1 UC 0 0 1500 ste0 00:1c:58:ee:dd:44 UHLW 2 10 1500 ste0 1168

    And I found the following within "states" when trying to connect from LAN via telnet to the VIP:
    tcp <-  CLOSED:SYN_SENT
    tcp -> SYN_SENT:CLOSED is the client I'm doing the connect from.

    Solution: After disabling "Disable NAT Reflection" under "System -> Advanced" it finally worked  :D