NAT and Rule problems



  • I have installed Pfsense 1.2 on a Dell Poweredge 750 server. I have two Ethernet interfaces in this server. One interface is put on the WAN side, and the other is on the LAN. My Internet provider has provided me with a .29 mask network on a SDSL internet line. I have defined four “Other Virtual IPs” in FPsense and used them in the NAT/Rules. The problem is that I can’t reach the inside NAT/Ruled IP’s from the WAN’s defined VIP’s, but I can reach Pfsense interface IP. Someone who has any idea of my problems?



  • Did you create firewall rules that allow access to the VIP's?



  • Unless those IPs are routed to your WAN IP, you'll need to use proxy ARP or CARP type VIPs, not Other.



  • I created NAT between wan-ip and lan-ip who atomically created a access Rule to the lan-ip.

    @GruensFroeschli:

    Did you create firewall rules that allow access to the VIP's?



  • I got a "small" ip-segment ( 193.71../29 ) with a gateway IP from my prowider. I have used this range before with a Soncwall PRO.

    @cmb:

    Unless those IPs are routed to your WAN IP, you'll need to use proxy ARP or CARP type VIPs, not Other.



  • Take a look at the screenshot




  • Yes, I mean I tried this. Should the mask for this Proxy ARP be /32?, or should it be the same mask as for my WAN IP segment (/29)?

    For you information I got access to the PF's own interface IP from the WAN. This IP is of cause one inside of my WAN mask.

    @heiko:

    Take a look at the screenshot



  • Proxy arp with /32 and Carp with you isp mask /29.



  • Proxy Arp/32 does not function with my alternative IP's from WAN only with PF's interface IP. Carp/29 does well with one of the alternative IP's, but the server boots many times every time I change something. I must test further… :( When I put in a 10 year’s old Sonicwall PRO everything works, but I can’t use this unit instead because it’s feature less. :)

    @heiko:

    Proxy arp with /32 and Carp with you isp mask /29.



  • Ah… When I put on a unic VHID Group on every carp IP everythig was ok... :-)


Log in to reply