Virtual IP on LAN interface as client gateway. Logs say pass, but I get nothing



  • Hey all, I'm so frustrated by this issue. I've hunted around and tried everything I can think of, searched the forums, checked the FAQ, etc.

    The subject pretty much says it all. I've added a virtual IP on the LAN interface, and have created LAN rules and a NAT rule allowing all traffic out from a specific IP range. This IP range is not my usual LAN subnet… hence the creation of a virtual IP, so the firewall can "hear" the requests. I've set that virtual IP as the gateway of a test client in that new subnet.

    When I try to access anything beyond the pfsense box though, I get nothing. Can't ping, can't tracert, browse, anything. Looking at the firewall logs, I can see this traffic is being passed though! So, I'm not really sure how to proceed. Perhaps this is an unsupported configuration?



  • For the record, I'll explain my intentions with this setup. All the clients in our office LAN (desktops, laptops, etc.) have reservations configured on our (non-pfsense) DHCP servers.

    For those clients that connect to our DHCP servers, but who don't have a reservation, I'd like them to get a leased IP that is totally different from that of our LAN and servers, and which I can control via our pfsense firewall. Essentially a DHCP powered quarantine network, for anything that doesn't have an IP reservation.

    For the search engine:
    "virtual ip"
    "virtual IP LAN"
    "LAN Virtual IP"
    "Virtual IP on LAN"



  • The only VIP that would allow to be used as gateway is type CARP, however a CARP VIP has to be inside the real interfaces subnet so that won't work for you here. What you are trying to do won't work unless you add a second interface that you hook up to the same lan-switch. Another thing about your configuration, that won't work, is that you can't run 2 different dhcp servers in the same subnet, even if one is only answering to dedicated mac adresses. The other server will always see the requests as well and might answer more quickly than the other one that holds the static leases. In fact I have seen a pfSense on embedded hardware on the same subnet nearly always answering faster than a full blown w2k3 server. Also from a security point of view there is no real seperation between the networks just by assigning different IP-Ranges to the clients. If you want to do this the right way you should start considering managed switches with vlans and portathentication. Everything else doesn't make too much sense imo.



  • You're right on all accounts. There are limitations I am dealing with regarding certain areas of my network that prohibit me from full blown RADIUS authentication on all switch ports, which I would love. This was my attempt at a stop-gap solution.

    I'll consider adding another NIC, that's not outside the realm of possibility.
    And for the record, I am able to set up DHCP lease subnets separate from my reservations, all in Windows Server 2k3. I use PFsense DHCP on other networks.

    Thanks for the speedy reply. You rock.


Locked