Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing between IP-Alias IPs on different Firewalls on the same WAN subnet

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 632 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zero_life
      last edited by

      Hi,
      I have an odd issue. That was hoping someone here can help me with.  I'm sure its something really stupid that I am missing but for the life of me I just can't seem to get it.

      I have 2 PFsense firewalls running on the same WAN subnet 38.xxx.xxx.128/25
      Each of them have multiple IP-alias IPs that are 1:1 NATed to IPs on their respective LANs.

      FW1 -
      WAN - 38.xxx.xxx.225/25
      (vIP) - 38.xxx.xxx.180

      FW2 -
      WAN - 38.xxx.xxx.135/25
      (vIP) - 38.xxx.xxx.138

      Now when I try to connect to 38.xxx.xxx.180:80 from a host behind FW2 it fails with a timeout. 
      However, I am able to communicate with 38.xxx.xxx.225.

      I have an allow any rule on FW1 for that ip/port and can reach it from anywhere else…

      I know I just need to tell FW2 to fwd requests for that IP to to FW1, but all my attempts to make that happen have failed ... miserably.  :)

      Any ideas would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You shouldn't need to do anything.

        What kind of VIP?

        Is FW2 getting ARP for .180 when you try to connect?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • Z
          zero_life
          last edited by

          Thanks for the reply Derelict,
          I verified the ARP and no entry for .180 existed.  But there was one for .225

          I figured I would try adding a rule

          any from WAN net to any

          to make sure my pings would get through
          and then everything fell into place.  :)

          I had just changed FW2 so its MAC was different, I'm thinking maybe a stale entry on FW1 for the Virtual IP was the issue, and once a ping finally made it, everything got updated.
          I since removed the any rule I just made and now they can communicate fine.

          I should also mention fw1 is running 2.1.2 and hasn't been rebooted for 500+ days.  :)  I have it scheduled to be updated at the end of the month, but was hoping to wait for 2.3 and go strait to it…

          Anyway, thanks again for the point in the right direction...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.