Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Adding IPs to WAN connection

    HA/CARP/VIPs
    6
    12
    5868
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kongslide last edited by

      I'm not a networking expert so please bare with me.

      I have a static WAN connection from my ISP that goes directly into PFS and looks like this:

      WAN (xx.xx..xx.36/30)<->PFS<->LAN

      I asked my ISP for a block of IPs, they gave me xx.xx.xx.216/29. I have no clue how to utilize these IPs. I would assume I need to set up VIPs for the individual IPs (xx.xx.xx.217, xx.xx.xx.218…). Really I'm lost, I just want a specific machine in my network to be accessed on one of these new IPs for http (or any other port for that matter).

      I know this might be a simple problem but like I said, I'm not great with this stuff, any help would be greatly appreciated.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • K
        kongslide last edited by

        Wow, I'm glad I'm not the only one that is baffled by this :)

        1 Reply Last reply Reply Quote 0
        • GruensFroeschli
          GruensFroeschli last edited by

          http://forum.pfsense.org/index.php?action=search
          Keyword: "VIP"

          In short:
          1: Add VIP's
          2: create NAT forwardings
          3: create Firewall rules if not autocreated

          1 Reply Last reply Reply Quote 0
          • P
            PinoVero last edited by

            this solution is not working for me… or at least not complete

            i've "solved" adding manually my ips via shell:

            ifconfig rl1 inet alias xx.xx.xx.3 netmask 255.255.255.0
            ifconfig rl1 inet alias xx.xx.xx.4 netmask 255.255.255.0
            ifconfig rl1 inet alias xx.xx.xx.5 netmask 255.255.255.0

            etc... to make it fully works correctly

            1 Reply Last reply Reply Quote 0
            • GruensFroeschli
              GruensFroeschli last edited by

              This works, is unsupported, and wont survive a reboot, or a rebuild of the config files.

              What exactly do you mean "it does not work for you" ?

              1 Reply Last reply Reply Quote 0
              • dotdash
                dotdash last edited by

                Guessing, but his issue could be that you can't add CARP IPs from a secondary subnet. I have a rambling post about the same issue. My solution was to use 'other' VIPs.

                1 Reply Last reply Reply Quote 0
                • N
                  nian last edited by

                  I'm having much the same issue …

                  1. Created VIPs as "Other"
                  2. Created NAT Port Forward on external address to point to my server's internal address
                  3. Failure!

                  ... as an alternative test, I did this:
                  1. Created VIPs as "Other"
                  2. Created NAT Port Forward on external address to point to pfSense internal IP
                  3. Success!

                  Which leads me to believe there is an issue with NAT Port Forward ... it should be able to get to my server's internal IP address! I can ping the server internal IP address regularly from my pfSense box. Is there something I need to configure in NAT?

                  1 Reply Last reply Reply Quote 0
                  • GruensFroeschli
                    GruensFroeschli last edited by

                    Can you show screenshots of your first attempt?

                    Are you sure you didnt mix the NAT rules and the firewall rules up?

                    1 Reply Last reply Reply Quote 0
                    • C
                      cybrsrfr last edited by

                      Pino Vero: If you take the commands you are using, save a backup xml file and download it. Edit the file with your commands adding the following into the <system>tag. Restore the new updated backup configuration. Then your commands will remain after reboot.

                      <shellcmd>ifconfig rl1 inet alias xx.xx.xx.3 netmask 255.255.255.0</shellcmd>
                      <shellcmd>ifconfig rl1 inet alias xx.xx.xx.4 netmask 255.255.255.0</shellcmd>
                      <shellcmd>ifconfig rl1 inet alias xx.xx.xx.5 netmask 255.255.255.0</shellcmd></system>

                      1 Reply Last reply Reply Quote 0
                      • dotdash
                        dotdash last edited by

                        @nian:

                        I'm having much the same issue …

                        1. Created VIPs as "Other"
                        2. Created NAT Port Forward on external address to point to my server's internal address
                        3. Failure!

                        ... as an alternative test, I did this:
                        1. Created VIPs as "Other"
                        2. Created NAT Port Forward on external address to point to pfSense internal IP
                        3. Success!

                        Which leads me to believe there is an issue with NAT Port Forward ... it should be able to get to my server's internal IP address! I can ping the server internal IP address regularly from my pfSense box. Is there something I need to configure in NAT?

                        Try adding a static route to the subnet the other VIPs are on pointing to your WAN CARP VIP. Dig up my old post for the details of my setup- I was able to get the VIPs to work on either the primary or secondary node. This may depend on how your provider is routing the block to you.

                        1 Reply Last reply Reply Quote 0
                        • N
                          nian last edited by

                          Ah, what sucks is, my LAN already has a static route: 10.0.0.0/8 10.x.x.x

                          I'm hosted at Softlayer, if that helps. They gave me a set of portable IPs (/27) where the first is the network address, the second is the gateway address, and the last is the broadcast address. Everything else in-between is usable.

                          I added a static route from my portable IPs (subnet /27) as follows: 10.y.y.0/27 10.y.y.y.1
                          I also tried the public route of my portable IPs (subnet /27) as follows: z.z.z.0/27 WAN_IP

                          …. where .0 is the correct network address to use with the subnet, and .1 is the correct gateway to use. But I think 10/8 catches it all, and it doesn't route properly.

                          Could this be the issue? I tried add an alias to an IP address from the portable IP block -- no joy.

                          1 Reply Last reply Reply Quote 0
                          • dotdash
                            dotdash last edited by

                            Here is the other thread: http://forum.pfsense.org/index.php/topic,7039.0.html
                            My static route was-  WAN (secondary subnet/mask) gateway (the WAN CARP address)

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post

                            Products

                            • Platform Overview
                            • TNSR
                            • pfSense Plus
                            • Appliances

                            Services

                            • Training
                            • Professional Services

                            Support

                            • Subscription Plans
                            • Contact Support
                            • Product Lifecycle
                            • Documentation

                            News

                            • Media Coverage
                            • Press
                            • Events

                            Resources

                            • Blog
                            • FAQ
                            • Find a Partner
                            • Resource Library
                            • Security Information

                            Company

                            • About Us
                            • Careers
                            • Partners
                            • Contact Us
                            • Legal
                            Our Mission

                            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                            Subscribe to our Newsletter

                            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                            © 2021 Rubicon Communications, LLC | Privacy Policy