Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SOLVED: VIP reachable from OPT1 but not from LAN via OPT1-adress

    Scheduled Pinned Locked Moved
    HA/CARP/VIPs
    1
    1
    2.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Razorblade
      last edited by

      Hi there,

      I'm currently setting up a new firewall with pfsense to replace the old one.

      I have the following setup:

      WAN –---------|
                            |-----------------LAN
      OPT1----------

      fxp0 = LAN = 10.0.0.1
      ste0 = WAN = 10.0.10.10, Gateway 10.0.10.1
      ste1 = OPT1 = 10.0.20.10

      The VIP is 10.0.20.20 which is nated to 10.0.0.254, where a webserver is running on port 80.

      If I'm doing "telnet 10.0.20.20 80" on a host within the OPT1 net it's getting a connection to the webserver. If I'm doing "telnet 10.0.0.254" from a host within LAN I also get a connection.
      The problem starts when I try to connect from LAN to 10.0.20.20 since no data reaches the host behind 10.0.20.20. I ran wireshark on it and in this case no data was received at all.

      NAT:
      OPT1  TCP  80(HTTP)  10.0.0.254(ext. 10.0.20.20)  80(HTTP)

      Firewall rules:

      LAN
      Pass  *  Lan net  *  *  *  *

      WAN
      Block  *  RFC1918 networks  *  *  *  *

      OPT1
      Pass  TCP  *  *  10.0.0.254  80(HTTP)  *

      One more weird thing is, that if I ty to connect from LAN via the VIP, the firewall logs that the access was permitted and I can't find any log (currently logging for alle rules is enabled), which says, that the answer was blocked. Even though wireshark on 10.0.0.254 doesn't log any incoming or outgoing data from or to 10.0.20.10.

      From my point of view my setup should be correct. Maybe I think wrong, but that was the idea:

      "telnet 10.0.20.20 80" from 10.0.0.x:
      10.0.0.x -> 10.0.20.10 -> 10.0.20.20 -(dnat)-> 10.0.0.254 -(snat)-> 10.0.20.20 -> 10.0.20.10 -> 10.0.0.x (happy)

      Since everything is happening on OPT1-adresses the WAN-Interface shouldn't be involved at all (I think of wrong routing).

      One more thing I realized was, that a traceroute from pfsense to the VIP fails.

      Maybe one of you can tell me, how I can get this done. If you need more information, just ask.

      Greetings,
      D.

      Edit:
      Here's the routing table
      default 10.0.10.1 UGS 0 1 1500 ste0
      127.0.0.1 127.0.0.1 UH 0 8 16384 lo0
      10.0.0 link#5 UC 0 1 1500 fxp0
      10.0.0.3 00:04:76:9e:83:6a UHLW 1 2985 1500 fxp0 1200
      10.0.20 link#2 UC 0 11 1500 ste1
      10.0.20.20 link#2 UHLW 1 0 1500 ste1
      10.0.10.0/24 link#1 UC 0 0 1500 ste0
      10.0.10.1 00:1c:58:ee:dd:44 UHLW 2 10 1500 ste0 1168

      And I found the following within "states" when trying to connect from LAN via telnet to the VIP:
      tcp  10.0.20.20:80 <- 10.0.0.3:51331  CLOSED:SYN_SENT
      tcp 10.0.0.3:51331 -> 10.0.20.20:80 SYN_SENT:CLOSED

      10.0.0.3 is the client I'm doing the connect from.

      Solution: After disabling "Disable NAT Reflection" under "System -> Advanced" it finally worked  :D

      1 Reply Last reply Reply Quote 0
      • First post
        Last post