Moving servers behind one PFsense box to another PFsense box…problems



  • I'm attempting to move a few virtual servers, hosted behind an old desktop running PFsense, to a bigger UTM running PFsense. Both machines run 2.1.5. I exported the firewall, virtual IP, NAT, etc. settings from the old box and imported onto the new. I'm not running any packages except OpenVPN export.

    I disconnected the old box from the switch and plugged in the new box. Then, I disconnected the old box's WAN connection from the switch and plug in the new PFsense box's switch. I reboot the virtual servers (Ubuntu 12) but the problem is, I can ping the DNS name associated with the web servers (virtual IP via PFsense), and I can SSH into the machines, which should mean that the connections through the new PFsense box are working. However, I can't get any webpages to load once I switch PFsense machines (but I can SSH into and ping the machines). The only thing that has changed is the WAN IP of the PFsense box. Any ideas about what is going on?



  • How did you set up the forwarding for the web ports? You mentioned virtual IPs, which sounds like you are NATing the public IPs to private ones. Did you use a static IP in the forwarding rule or did you use an alias? Since you can SSH into the machines, that means you updated the alias/ip for that rule. Or I'm way off course and you are actually using public IPs on the servers, which puzzles me why it's not working as is.

    Is all testing done "externally" (pfsense's WAN side)?



  • Upstream ARP cache being outdated is the most likely cause (power cycle your modem if cable/DSL, otherwise contact your ISP).



  • @jflsakfja:

    How did you set up the forwarding for the web ports? You mentioned virtual IPs, which sounds like you are NATing the public IPs to private ones. Did you use a static IP in the forwarding rule or did you use an alias? Since you can SSH into the machines, that means you updated the alias/ip for that rule. Or I'm way off course and you are actually using public IPs on the servers, which puzzles me why it's not working as is.

    Is all testing done "externally" (pfsense's WAN side)?

    Yes, they are NATing from the public IP to an internal LAN IP. I'm doing all the testing over PFsense WAN since the servers are on a different LAN/different subnet than my machine.

    The ARP cache is a good idea. I power cycled the servers and PFsense but no luck. I'm assuming I could also assign the "old" WAN IP to the new box and get it working without rebooting our Verizon box? Thanks for your help.



  • @cwyant55:

    Yes, they are NATing from the public IP to an internal LAN IP. I'm doing all the testing over PFsense WAN since the servers are on a different LAN/different subnet than my machine.

    NAT reflection

    So, port forwarding rules are correct, all the IPs are correctly assigned, but only webservers aren't accessible? How are the webservers configured to listen? On a specific IP?



  • @cwyant55:

    I'm assuming I could also assign the "old" WAN IP to the new box and get it working without rebooting our Verizon box? Thanks for your help.

    Not in the most common scenario, where the additional WAN IPs are IP alias or CARP VIPs. If they're routing your additional IPs to your WAN IP, then you'll have to move over the WAN IP so the routing functions. That's less common.


Log in to reply