Help understanding VIP

kcallis

I am running version 2.1.5 on a Watchguard X700 Firebox. Since we have changed providers, I now have 5 IP addresses as opposed to the 1 that I had previously. I have been trying to set up a virtual IP address for my DMZ, but I have been failing non stop. What I attempted to do was first create a VIP:

Firewall|Virtual IPs

Type: IP Alias
Interface: WAN
IP Address: 66.231.220.241/24

Next I tried my hand at doing a 1:1 NAT (Attachment #3)

Firewall: NAT: 1:1

Interface: WAN
External subnet IP: 66.231.220.241
Internal IP: DMZ Net (192.168.1.0/24)
Destination: Single Host - 192.168.1.50
NAT reflection: use system defaults

I have generic rules for the WAN and the DMZ (see attachments #1 and #2). I am able to ping the first external address just fine, but absolutely nothing for 66.231.220.241. So where am I going wrong?

![WAN Rules.png](/public/imported_attachments/1/WAN Rules.png)
![WAN Rules.png_thumb](/public/imported_attachments/1/WAN Rules.png_thumb)
![DMZ Rules.png](/public/imported_attachments/1/DMZ Rules.png)
![DMZ Rules.png_thumb](/public/imported_attachments/1/DMZ Rules.png_thumb)
![NAT entry.png](/public/imported_attachments/1/NAT entry.png)
![NAT entry.png_thumb](/public/imported_attachments/1/NAT entry.png_thumb)

kcallis

Finally, I have been able to set up my VIP somewhat correctly. The problem that I am having is with my 1:1 NAT. Let me see if there is a thread that related to those issues.

KOM

Don't use 1:1 NAT unless you must give full access to all ports on the server. Better to use a port-forward rule to forward a particular port on your LAN server to a port on your VIP address.

BenMitchell1979

Similar issue with VIPs and 1:1NAT

I've moved from a physical to a virtual (VMWare 5.5) pFSense 2.1.5 deployment and I'm still not able to get the 1:1 natting working properly. The biggest issue that I see is that when I enable the 1:1 NAT the guest loses the ability to ping my WAN Gateway. If I remove the 1:1 or disable it then that guest is again able to ping my WAN Gateway.. I have my firewall wide open (any/any) on all interfaces so I don't think it's a firewall rule causing this. Any ideas from the community would be great!.

SETUP:
VIPs and 1:1NATs
1. 97.x.x.10/29 | 1:1NAT = 192.168.5.1 (F5 APM Web Access)
2. 97.x.x.11/29 | 1:1NAT = 192.168.2.5 (2012R2 RDS Gateway)
3. 97.x.x.12/29 | 1:1NAT = 192.168.2.4 (2012 R2 Web Server)

Physical Interfaces (em0-em2)
-EM0 (WAN) 97.x.x.13/29 (Gateway 97.x.x.9/29) <– Lab WAN
-EM1 (all vlans from this) = EM1_vlan2 = 192.168.2.254 (tagged: vlan 2
-EM2 HomeNetwork 192.168.100.254/24 (Gateway 192.168.100.1/24) <-- This goes to my Home DDWRT Router