Virtual IPs seem not to work



  • Hi All,

    I like the feel and approach of pfSense a great deal, but I have a small problem with configuring virtual IPs on the WAN NIC.

    Basic configuration is simplified to this:

    1 WAN NIC with static address showing in the webgui as x.x.x.129 /1 (not sure why it shows as /1 not /32 or some other subnetting)
    2 LAN NIC with 192.168.100.1/24
    3 Available public IPs x.x.x.129-200

    Using the WebGUI, I apply a proxy ARP or Other VIP to WAN NIC of x.x.x.171 and set NAT with auto creation of FW rules and for testing purposes even create wild any source/any port to .171 any port and the reverse rule to allow x.x.x.171 to send to any/any then if I ping from the webgui to the x.x.x.171 address I get no replies. Leading from that I obviously get no replies from WAN side or LAN side at all.

    Do I need to change the static IP subnet to encompass VIPs?  Any clues as to why what I thought would be a simple straightforward config is proving so unsuccessful?

    Must be missing something obvious I guess as others have been successful. Previously with other FW products just adding the IPs to the public side NIC and setting NAT and FW Rules worked fine. Is there a systemic difference with this product I need to understand. eg How is a VIP different from an alias in practice?

    Sorry, enough questions I think! ;-)

    K



  • @donty01:

    1 WAN NIC with static address showing in the webgui as x.x.x.129 /1 (not sure why it shows as /1 not /32 or some other subnetting)

    Stop right there. The WAN should be on the correct subnet for your IP block. If it is indeed static, and the web gui shows /1, then you most likely set the subnet mask to /1. Go back into the WAN interface setup and set the mask correctly. If I were to guess, the mask would be /25, but your ISP would know for sure.



  • Thanks very much for that - fast and accurate.

    Sounds weak, but that was where I was heading - I think I just needed someone to confirm I wasn't mad! I'm 200 miles away from the thing and didn't want to slice off the branch I am sitting on! Its actually treated as a /24 - I am using it in parallel with some other devices on a LAN on the public side.

    I didn't explicitly set the mask so it must have defaulted at some point to 1. Knew it couldn't be too difficult to do such a simple thing ;-)

    Now I can get back to playing with the more complex real solution I need, but with evidence that future problems really are likely to be my mistakes not the FW's.

    Cheers!

    K




Locked