RE: [pfSense Support] Virtual Ips
First step, upgrade to latest release, 1.2-RC3 as there have been MANY fixes put in since 1.0.1 -Sean Date: Wed, 26 Dec 2007 09:17:45 -0800 From: [EMAIL PROTECTED] To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips I am having the same problem. I have an external IP from Qwest which is part of an 8-IP address block. That IP is the gateway and the others are for my use. SO I am trying to assign them to devices on my local net. I set up mine in virtual IP, and created a NAT rule with the option selected to also create an associated firewall rule. I can surf out to the internet just fine but I can not access the device through the IP I designated, from the outside going in. I don't know about you, but I am using pfSense 1.01 and no extra services like Squid. One person suggested that Squid was installed and was block the entrance from the outside. But that was not the case because it is not installed. So I am in the same boat you are. James Kusler, Information Technology Manager PHONE| 509.624.1613 or 800.822.4456 FAX| 509.624.1604 [EMAIL PROTECTED] | www.sound-tele.com | www.solaxis.com -Original Message- From: Ryan Rodrigue [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 9:19 AM To: support@pfsense.com Subject: [pfSense Support] Virtual Ips I have a stupid question.. I am trying to set up 2 servers with a seperate external IP adresses. My wan IP is x.x.x.74 I want to use x.x.x.73 for server 1 and x.x.x.72 for server 2. Server 1 is 192.168.1.10 and server 2 is 192.168.1.11. I think i have to set this up in 1:1 nat, Firewall rules, and also in Virtual IPs. Is there anywhere else i need to set this up, It doesn't seem to be working. Maybe I have this way off or something else. Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ The best games are on Xbox 360. Click here for a special offer on an Xbox 360 Console. http://www.xbox.com/en-US/hardware/wheretobuy/
Re: [pfSense Support] Virtual Ips
Under Virtual IP's are you using Carp, Proxy Arp, or IP? If you want to use 1:1 NAT, go ahead and do so for that specific IP address, then under the firewall rules add in a rule to match the traffic you would like to permit. It should be that simple. Additionally, the IP's 73 and 72 are within your given range correct? Are you using the correct subnet mask? Curtis
RE: [pfSense Support] Virtual Ips
sorry. i mistyped. I am at 1.2RC3 -Original Message- From: Sean Cavanaugh [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 11:41 AM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips First step, upgrade to latest release, 1.2-RC3 as there have been MANY fixes put in since 1.0.1 -Sean _ Date: Wed, 26 Dec 2007 09:17:45 -0800 From: [EMAIL PROTECTED] To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips I am having the same problem. I have an external IP from Qwest which is part of an 8-IP address block. That IP is the gateway and the others are for my use. SO I am trying to assign them to devices on my local net. I set up mine in virtual IP, and created a NAT rule with the option selected to also create an associated firewall rule. I can surf out to the internet just fine but I can not access the device through the IP I designated, from the outside going in. I don't know about you, but I am using pfSense 1.01 and no extra services like Squid. One person suggested that Squid was installed and was block the entrance from the outside. But that was not the case because it is not installed. So I am in the same boat you are. James Kusler, Information Technology Manager PHONE| 509.624.1613 or 800.822.4456 FAX| 509.624.1604 [EMAIL PROTECTED] | www.sound-tele.com | www.solaxis.com -Original Message- From: Ryan Rodrigue [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 9:19 AM To: support@pfsense.com Subject: [pfSense Support] Virtual Ips I have a stupid question.. I am trying to set up 2 servers with a seperate external IP adresses. My wan IP is x.x.x.74 I want to use x.x.x.73 for server 1 and x.x.x.72 for server 2. Server 1 is 192.168.1.10 and server 2 is 192.168.1.11. I think i have to set this up in 1:1 nat, Firewall rules, and also in Virtual IPs. Is there anywhere else i need to set this up, It doesn't seem to be working. Maybe I have this way off or something else. Thanks for your help. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] _ The best games are on Xbox 360. Click here for a special offer on an Xbox 360 Console. Get it now! http://www.xbox.com/en-US/hardware/wheretobuy/ __ NOD32 2747 (20071225) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
RE: [pfSense Support] Virtual Ips
I am using CARP. Originally I used 'other'. Also, when I define the public IP should I use the /29 subnet mask for that address from Qwest, or should I just use /32 since it is a single IP address? The dialogues in the web GUI suggest that if you use a single IP you use the /32 snm. James Kusler, Information Technology Manager - Sound Telecom PHONE| 509.624.1613 or 800.822.4456 FAX| 509.624.1604 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] | www.sound-tele.com http://www.sound-tele.com/ | www.solaxis.com http://www.solaxis.com/ From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 10:00 AM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips Under Virtual IP's are you using Carp, Proxy Arp, or IP? If you want to use 1:1 NAT, go ahead and do so for that specific IP address, then under the firewall rules add in a rule to match the traffic you would like to permit. It should be that simple. Additionally, the IP's 73 and 72 are within your given range correct? Are you using the correct subnet mask? Curtis
RE: [pfSense Support] Virtual Ips
I will be upgrading, that's fur sure. I have everything else set. Also, in the virtual IP section, I did not have the choice of selecting 'IP'. It gave the choices 'CARP', 'Web Proxy', and 'Other'. So if that has changed in the newer version that may help. Thanks for all the help and info, and I will let you all know what happens. James Kusler, Information Technology Manager - Sound Telecom PHONE| 509.624.1613 or 800.822.4456 FAX| 509.624.1604 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] | www.sound-tele.com http://www.sound-tele.com/ | www.solaxis.com http://www.solaxis.com/ From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 10:00 AM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips Under Virtual IP's are you using Carp, Proxy Arp, or IP? If you want to use 1:1 NAT, go ahead and do so for that specific IP address, then under the firewall rules add in a rule to match the traffic you would like to permit. It should be that simple. Additionally, the IP's 73 and 72 are within your given range correct? Are you using the correct subnet mask? Curtis
RE: [pfSense Support] Virtual Ips
What are the rules you are using on the WAN for traffic. Keep in mind when you are defining the destination address it should be the PRIVATE IP not the PUBLIC one If you are getting the correct address on whatismyip then the NAT mapping is fine. it is firewall rules that are messing you up. -Tim From: Ryan Rodrigue [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 10:27 AM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips I have it setup as Proxy ARP I went to 1:1 NAT and firewall rules and specified the 73 and 72 as two seperate entries using the /32 subnet mask on the WAN interface it is setup as x.x.x.74 /29 I setup a wan rule to allow anything with the destination 192.168.1.10 and same for 192.168.1.100 I can still not get anything to work. I am getting the correct IP address if i go to whatismyip.com, but when i try to hit the webserver ip from my phone (seperate network all together) it doesn't work. I thought this was going to be fairly simple. lol -Original Message- From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 12:00 PM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips Under Virtual IP's are you using Carp, Proxy Arp, or IP? If you want to use 1:1 NAT, go ahead and do so for that specific IP address, then under the firewall rules add in a rule to match the traffic you would like to permit. It should be that simple. Additionally, the IP's 73 and 72 are within your given range correct? Are you using the correct subnet mask? Curtis
RE: [pfSense Support] Virtual Ips
I have it setup as Proxy ARP I went to 1:1 NAT and firewall rules and specified the 73 and 72 as two seperate entries using the /32 subnet mask on the WAN interface it is setup as x.x.x.74 /29 I setup a wan rule to allow anything with the destination 192.168.1.10 and same for 192.168.1.100 I can still not get anything to work. I am getting the correct IP address if i go to whatismyip.com, but when i try to hit the webserver ip from my phone (seperate network all together) it doesn't work. I thought this was going to be fairly simple. lol -Original Message- From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 12:00 PM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips Under Virtual IP's are you using Carp, Proxy Arp, or IP? If you want to use 1:1 NAT, go ahead and do so for that specific IP address, then under the firewall rules add in a rule to match the traffic you would like to permit. It should be that simple. Additionally, the IP's 73 and 72 are within your given range correct? Are you using the correct subnet mask? Curtis
RE: [pfSense Support] Virtual Ips
Sorry. I forgot to let you know. I do have the correct IP address assigned by my isp. To answer your other question, the wan rule is pass protocol:any port:any source:any destination:192.168.1.10 gateway:default this rule is at the top of the list. (first processed) i figured id go for simple and the block what i don't need after. -Original Message- From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 12:19 PM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips What are the rules you are using on the WAN for traffic. Keep in mind when you are defining the destination address it should be the PRIVATE IP not the PUBLIC one If you are getting the correct address on whatismyip then the NAT mapping is fine. it is firewall rules that are messing you up. -Tim From: Ryan Rodrigue [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 10:27 AM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips I have it setup as Proxy ARP I went to 1:1 NAT and firewall rules and specified the 73 and 72 as two seperate entries using the /32 subnet mask on the WAN interface it is setup as x.x.x.74 /29 I setup a wan rule to allow anything with the destination 192.168.1.10 and same for 192.168.1.100 I can still not get anything to work. I am getting the correct IP address if i go to whatismyip.com, but when i try to hit the webserver ip from my phone (seperate network all together) it doesn't work. I thought this was going to be fairly simple. lol -Original Message- From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 12:00 PM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips Under Virtual IP's are you using Carp, Proxy Arp, or IP? If you want to use 1:1 NAT, go ahead and do so for that specific IP address, then under the firewall rules add in a rule to match the traffic you would like to permit. It should be that simple. Additionally, the IP's 73 and 72 are within your given range correct? Are you using the correct subnet mask? Curtis __ NOD32 2747 (20071225) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
Re: [pfSense Support] Virtual Ips
On Dec 26, 2007 12:13 PM, James Kusler [EMAIL PROTECTED] wrote: It gave the choices 'CARP', 'Web Proxy', and 'Other'. So if that has changed in the newer version that may help. If it truly says Web Proxy, you didn't get an official release from us! It should read, CARP, Proxy ARP, and Other. I've explained the differences before, but I'll do it again here. CARP is primarily used for high availability when you have multiple firewalls in a cluster. With that said I recommend it over proxy arp as if you ever go to a cluster config you'll have to convert anyway. Proxy ARP is primarily for when you have a single firewall and multiple addresses that need to be NAT'd through it. Other is for when you have a subnet routed to your firewall - ie. not the same subnet the firewall is on usually (although with PPPoE it may be). The IPs are always seen at your firewall and you just need pfSense to recognize that it should allow you to do something with them. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Virtual Ips
Okay, it does Proxy ARP. My error. I have multiple addresses I need to NAT through this. It is a block of 8 IPs from Qwest and I can use 5 for me and one is the gateway. The others are the network and the b-cast as usual. I have tried CARP and before that 'Other'. I only have the one pfSense firewall. James Kusler, Information Technology Manager PHONE| 509.624.1613 or 800.822.4456 FAX| 509.624.1604 [EMAIL PROTECTED] | www.sound-tele.com | www.solaxis.com -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 11:19 AM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips On Dec 26, 2007 12:13 PM, James Kusler [EMAIL PROTECTED] wrote: It gave the choices 'CARP', 'Web Proxy', and 'Other'. So if that has changed in the newer version that may help. If it truly says Web Proxy, you didn't get an official release from us! It should read, CARP, Proxy ARP, and Other. I've explained the differences before, but I'll do it again here. CARP is primarily used for high availability when you have multiple firewalls in a cluster. With that said I recommend it over proxy arp as if you ever go to a cluster config you'll have to convert anyway. Proxy ARP is primarily for when you have a single firewall and multiple addresses that need to be NAT'd through it. Other is for when you have a subnet routed to your firewall - ie. not the same subnet the firewall is on usually (although with PPPoE it may be). The IPs are always seen at your firewall and you just need pfSense to recognize that it should allow you to do something with them. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Virtual Ips
And in your firewall logs do you have show blocked by default rule? If so check the logs and see if you can find anything stopping it. Also check out your states you can watch active connections by throwing 192.168.1.10 in your filter. If you see connections coming through on those states it may be a misconfiguration on the server itself. -Tim From: Ryan Rodrigue [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 11:05 AM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips Sorry. I forgot to let you know. I do have the correct IP address assigned by my isp. To answer your other question, the wan rule is pass protocol:any port:any source:any destination:192.168.1.10 gateway:default this rule is at the top of the list. (first processed) i figured id go for simple and the block what i don't need after. -Original Message- From: Tim Dickson [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 12:19 PM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips What are the rules you are using on the WAN for traffic. Keep in mind when you are defining the destination address it should be the PRIVATE IP not the PUBLIC one If you are getting the correct address on whatismyip then the NAT mapping is fine. it is firewall rules that are messing you up. -Tim From: Ryan Rodrigue [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 10:27 AM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips I have it setup as Proxy ARP I went to 1:1 NAT and firewall rules and specified the 73 and 72 as two seperate entries using the /32 subnet mask on the WAN interface it is setup as x.x.x.74 /29 I setup a wan rule to allow anything with the destination 192.168.1.10 and same for 192.168.1.100 I can still not get anything to work. I am getting the correct IP address if i go to whatismyip.com, but when i try to hit the webserver ip from my phone (seperate network all together) it doesn't work. I thought this was going to be fairly simple. lol -Original Message- From: Curtis LaMasters [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 12:00 PM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips Under Virtual IP's are you using Carp, Proxy Arp, or IP? If you want to use 1:1 NAT, go ahead and do so for that specific IP address, then under the firewall rules add in a rule to match the traffic you would like to permit. It should be that simple. Additionally, the IP's 73 and 72 are within your given range correct? Are you using the correct subnet mask? Curtis __ NOD32 2747 (20071225) Information __ This message was checked by NOD32 antivirus system. http://www.eset.com
RE: [pfSense Support] Virtual Ips
Same as before. I cannot access through my firewall/NAT rules. This time I used Proxy ARP when setting up virtual IP's. James Kusler, Information Technology Manager PHONE| 509.624.1613 or 800.822.4456 FAX| 509.624.1604 [EMAIL PROTECTED] | www.sound-tele.com | www.solaxis.com -Original Message- From: James Kusler Sent: Wednesday, December 26, 2007 11:32 AM To: support@pfsense.com Subject: RE: [pfSense Support] Virtual Ips I have just installed to hard drive the latest version (1.2-RC3). So I am starting with a fresh system. We'll see what happens. Again, thanks to everyone for the continuing comments, information, advice and assistance. I will keep you posted on what happens. James Kusler, Information Technology Manager PHONE| 509.624.1613 or 800.822.4456 FAX| 509.624.1604 [EMAIL PROTECTED] | www.sound-tele.com | www.solaxis.com -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 11:19 AM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips On Dec 26, 2007 12:13 PM, James Kusler [EMAIL PROTECTED] wrote: It gave the choices 'CARP', 'Web Proxy', and 'Other'. So if that has changed in the newer version that may help. If it truly says Web Proxy, you didn't get an official release from us! It should read, CARP, Proxy ARP, and Other. I've explained the differences before, but I'll do it again here. CARP is primarily used for high availability when you have multiple firewalls in a cluster. With that said I recommend it over proxy arp as if you ever go to a cluster config you'll have to convert anyway. Proxy ARP is primarily for when you have a single firewall and multiple addresses that need to be NAT'd through it. Other is for when you have a subnet routed to your firewall - ie. not the same subnet the firewall is on usually (although with PPPoE it may be). The IPs are always seen at your firewall and you just need pfSense to recognize that it should allow you to do something with them. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Virtual Ips
I have just installed to hard drive the latest version (1.2-RC3). So I am starting with a fresh system. We'll see what happens. Again, thanks to everyone for the continuing comments, information, advice and assistance. I will keep you posted on what happens. James Kusler, Information Technology Manager PHONE| 509.624.1613 or 800.822.4456 FAX| 509.624.1604 [EMAIL PROTECTED] | www.sound-tele.com | www.solaxis.com -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 11:19 AM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips On Dec 26, 2007 12:13 PM, James Kusler [EMAIL PROTECTED] wrote: It gave the choices 'CARP', 'Web Proxy', and 'Other'. So if that has changed in the newer version that may help. If it truly says Web Proxy, you didn't get an official release from us! It should read, CARP, Proxy ARP, and Other. I've explained the differences before, but I'll do it again here. CARP is primarily used for high availability when you have multiple firewalls in a cluster. With that said I recommend it over proxy arp as if you ever go to a cluster config you'll have to convert anyway. Proxy ARP is primarily for when you have a single firewall and multiple addresses that need to be NAT'd through it. Other is for when you have a subnet routed to your firewall - ie. not the same subnet the firewall is on usually (although with PPPoE it may be). The IPs are always seen at your firewall and you just need pfSense to recognize that it should allow you to do something with them. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Virtual Ips
Also, so everyone knows, there are two ways to set up this connection using a separate firewall. I can either put the modem on PPPoA and then put the firewall inside of the modem with static IPs (WAN on external IP addr. And LAN on my internal net)\ Or I can bridge the modem and connect using the firewall on PPPoE. I have done both and they both work as far as pinging the IPs and going through it from inside to outside on the Internet. Each time I try to come in from the outside through my designated rules/ports/address I get denied. Could it be because I am not using Proxy ARP? James Kusler, Information Technology Manager PHONE| 509.624.1613 or 800.822.4456 FAX| 509.624.1604 [EMAIL PROTECTED] | www.sound-tele.com | www.solaxis.com -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 11:19 AM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips On Dec 26, 2007 12:13 PM, James Kusler [EMAIL PROTECTED] wrote: It gave the choices 'CARP', 'Web Proxy', and 'Other'. So if that has changed in the newer version that may help. If it truly says Web Proxy, you didn't get an official release from us! It should read, CARP, Proxy ARP, and Other. I've explained the differences before, but I'll do it again here. CARP is primarily used for high availability when you have multiple firewalls in a cluster. With that said I recommend it over proxy arp as if you ever go to a cluster config you'll have to convert anyway. Proxy ARP is primarily for when you have a single firewall and multiple addresses that need to be NAT'd through it. Other is for when you have a subnet routed to your firewall - ie. not the same subnet the firewall is on usually (although with PPPoE it may be). The IPs are always seen at your firewall and you just need pfSense to recognize that it should allow you to do something with them. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual Ips
On Dec 26, 2007 1:30 PM, James Kusler [EMAIL PROTECTED] wrote: Or I can bridge the modem and connect using the firewall on PPPoE. With PPPoE and pfSense terminating the connection, 'other' is the option you want for virtual IPs. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] Virtual Ips
So do you suggest I use PPPoE at the pfSense firewall and just bridge the modem? Right now I have the modem dialed to the account(DSL) for PPPoA and the modem is carrying a static gateway IP on its outside port and the inside port is a static IP from the block of IPs I am allowed. Then on the WAN port of pfSense is another user IP from the -block. James Kusler, Information Technology Manager PHONE| 509.624.1613 or 800.822.4456 FAX| 509.624.1604 [EMAIL PROTECTED] | www.sound-tele.com | www.solaxis.com -Original Message- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 26, 2007 12:50 PM To: support@pfsense.com Subject: Re: [pfSense Support] Virtual Ips On Dec 26, 2007 1:30 PM, James Kusler [EMAIL PROTECTED] wrote: Or I can bridge the modem and connect using the firewall on PPPoE. With PPPoE and pfSense terminating the connection, 'other' is the option you want for virtual IPs. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual Ips
If possible the modem should be nothing more than a delivery mechanism for network transport. No IP address, no routing, no configuration really. Curtis
Re: [pfSense Support] Virtual IPs
Nate Davis wrote: Howdy, pfSense has been a solid firewall for home use, and now I am implementing it as a firewall at work. I have run into a snag, and not really sure what the problem is. I am running 89.2 Here is my Setup: WAN (ATT-T1): 12.165.119.195 LAN: 192.168.40.1 I can use NAT, and Port Forwarding. They work great and all is well when I only have one WAN IP. No Problems. So, my problems comes when I do Virtual IPs. I would like to add a second IP. I add a Virtual IP of 12.165.119.196 (Proxy ARP), and set my NAT rules up using this Virtual IP. I am unable to connect at all to this Virtual IP. I have restarted the Box, and everything. I can Ping 12.165.119.195, but can't ping my 196 address. So, it seems that the Virtual IPs are not binding to that NIC card or somthing like that. you can't ping virtual IP's, because they don't get bound to any NIC. Unless you do 1:1 NAT and permit ICMP to the private IP, in which case they are pingable. what kind of NAT are you attempting on that virtual IP? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs
Chris, Thanks for the clarification. I will be doing a 1:1 Nat for the Mail Server for sure. That seems like the best route for the Mail Server. I guess you would call it Standard NAT (TCP). Not sure exactly what you are asking specifically. Let me see if this example helps. WAN IP: 12.165.119.195 Port 80 forwards to 192.168.40.5 -- Tested and works Great Virtual IP: 12.165.119.196 Port 80 forwards to 192.168.40.6 -- Can't connect to Port 80 at all. Nothing shows in the Logs that it was denied or anything. Maybe I just don't understand NAT / Firewalls as well as I had thought! lolI have verified the Firewall Rules, and they are allowing such traffic (I checked the box at the bottom of the NAT sceen to auto add it to the firewall). Again, I am using Proxy ARP (not sure if I should use Other) for the Virtual IP. Any help would be appreciated. Thanks so much, Nate Chris Buechler wrote: you can't ping virtual IP's, because they don't get bound to any NIC. Unless you do 1:1 NAT and permit ICMP to the private IP, in which case they are pingable. what kind of NAT are you attempting on that virtual IP? Nate Davis wrote: Howdy, pfSense has been a solid firewall for home use, and now I am implementing it as a firewall at work. I have run into a snag, and not really sure what the problem is. I am running 89.2 Here is my Setup: WAN (ATT-T1): 12.165.119.195 LAN: 192.168.40.1 I can use NAT, and Port Forwarding. They work great and all is well when I only have one WAN IP. No Problems. So, my problems comes when I do Virtual IPs. I would like to add a second IP. I add a Virtual IP of 12.165.119.196 (Proxy ARP), and set my NAT rules up using this Virtual IP. I am unable to connect at all to this Virtual IP. I have restarted the Box, and everything. I can Ping 12.165.119.195, but can't ping my 196 address. So, it seems that the Virtual IPs are not binding to that NIC card or somthing like that. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs (FTP)
Howdy, OK, I figured out the problem I was having... Turns out that for FTP, which is what I was trying to Port Forward with, there is a userland FTP-Proxy that is turned on by default. This was causing the Incoming FTP Connections to hang and timeout. I turned this off in the Advanced Page, and all is well with these virtual IPs. Man, that was so strange. Scott, can we turn that feature off by default, and then those that want it can turn it on? That might save a few of us some headaches in the future. Let me know. Thanks, Nate Chris, Thanks for the clarification. I will be doing a 1:1 Nat for the Mail Server for sure. That seems like the best route for the Mail Server. I guess you would call it Standard NAT (TCP). Not sure exactly what you are asking specifically. Let me see if this example helps. WAN IP: 12.165.119.195 Port 80 forwards to 192.168.40.5 -- Tested and works Great Virtual IP: 12.165.119.196 Port 80 forwards to 192.168.40.6 -- Can't connect to Port 80 at all. Nothing shows in the Logs that it was denied or anything. Maybe I just don't understand NAT / Firewalls as well as I had thought! lolI have verified the Firewall Rules, and they are allowing such traffic (I checked the box at the bottom of the NAT sceen to auto add it to the firewall). Again, I am using Proxy ARP (not sure if I should use Other) for the Virtual IP. Any help would be appreciated. Thanks so much, Nate Chris Buechler wrote: you can't ping virtual IP's, because they don't get bound to any NIC. Unless you do 1:1 NAT and permit ICMP to the private IP, in which case they are pingable. what kind of NAT are you attempting on that virtual IP? Nate Davis wrote: Howdy, pfSense has been a solid firewall for home use, and now I am implementing it as a firewall at work. I have run into a snag, and not really sure what the problem is. I am running 89.2 Here is my Setup: WAN (ATT-T1): 12.165.119.195 LAN: 192.168.40.1 I can use NAT, and Port Forwarding. They work great and all is well when I only have one WAN IP. No Problems. So, my problems comes when I do Virtual IPs. I would like to add a second IP. I add a Virtual IP of 12.165.119.196 (Proxy ARP), and set my NAT rules up using this Virtual IP. I am unable to connect at all to this Virtual IP. I have restarted the Box, and everything. I can Ping 12.165.119.195, but can't ping my 196 address. So, it seems that the Virtual IPs are not binding to that NIC card or somthing like that. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs (FTP)
On 10/29/05, Nate Davis [EMAIL PROTECTED] wrote: Howdy, OK, I figured out the problem I was having... Turns out that for FTP, which is what I was trying to Port Forward with, there is a userland FTP-Proxy that is turned on by default. This was causing the Incoming FTP Connections to hang and timeout. I turned this off in the Advanced Page, and all is well with these virtual IPs. Man, that was so strange. Scott, can we turn that feature off by default, and then those that want it can turn it on? That might save a few of us some headaches in the future. Let me know. The flip side of this is that we'll start getting tickets for people that want to know why their FTP doesn't work. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs (FTP)
On 10/29/05, Nate Davis [EMAIL PROTECTED] wrote: Howdy, OK, I figured out the problem I was having... Turns out that for FTP, which is what I was trying to Port Forward with, there is a userland FTP-Proxy that is turned on by default. This was causing the Incoming FTP Connections to hang and timeout. I turned this off in the Advanced Page, and all is well with these virtual IPs. Man, that was so strange. Scott, can we turn that feature off by default, and then those that want it can turn it on? That might save a few of us some headaches in the future. Let me know. The flip side of this is that we'll start getting tickets for people that want to know why their FTP doesn't work. --Bill If that is the Case, then all is fine how it is. More people make outgoing connections via FTP, than do incoming FTP connections... :) No need to fill up the support list more than we have to. Thanks for the insight. Nate - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs not working
Bastian Schern, you probably already know this, but your email is busted. --Bill On 8/22/05, Mail Delivery System [EMAIL PROTECTED] wrote: This is the Postfix program at host server19.greatnet.de. I'm sorry to have to inform you that your message could not be be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster If you do so, please include this problem report. You can delete your own text from the attached returned message. The Postfix program [EMAIL PROTECTED] (expanded from [EMAIL PROTECTED]): delivery temporarily suspended: connect to kundt.homeip.net[213.191.40.68]: Connection timed out Final-Recipient: rfc822; [EMAIL PROTECTED] Original-Recipient: rfc822; [EMAIL PROTECTED] Action: failed Status: 4.0.0 Diagnostic-Code: X-Postfix; delivery temporarily suspended: connect to kundt.homeip.net[213.191.40.68]: Connection timed out -- Forwarded message -- From: Bill Marquette [EMAIL PROTECTED] To: Bastian Schern [EMAIL PROTECTED] Date: Mon, 22 Aug 2005 18:18:24 -0500 Subject: Re: [pfSense Support] Virtual IPs not working On 8/22/05, Bastian Schern [EMAIL PROTECTED] wrote: Okay I believe you, but what can I do to solve my Problem with my three LAN subnets: 192.168.0.0/24 (main), 192.168.3.0/24 and 192.168.101.0/24. All of them are located on the same physical interface and in this moment it is not possible to join the subnets. Is there a way to handle that configuration? If ping is a big issue (I can understand), use CARP instead of ProxyARP. --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs not working
You cannot ping proxy-arp'd ips unless there are 1:1 NAT setup. Is this how your forwarding or using port forward? Scott On 8/22/05, Bastian Schern [EMAIL PROTECTED] wrote: Hi, I'm using pfSense Version 0.79.2 and my Virtual IPs are not functional. --- snip --- virtualip vip modeproxyarp/mode interfacewan/interface descrWAN Subnet/descr typenetwork/type subnet_bits28/subnet_bits subnet213.191.xxx.xxx/subnet /vip vip modeproxyarp/mode interfacelan/interface descrPrivate LAN/descr typesingle/type subnet_bits32/subnet_bits subnet192.168.3.1/subnet /vip vip modeproxyarp/mode interfacelan/interface descrAH-P LAN/descr typesingle/type subnet_bits32/subnet_bits subnet192.168.101.1/subnet /vip /virtualip --- snap --- It's not possible to ping any Virtual Interface. Most important thing is to get the external IPs back to work. Because all of them should be forwarded to Webserver, Mailserver, ... Regards Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs not working
On 8/22/05, Bastian Schern [EMAIL PROTECTED] wrote: Hi, SNIP I'm using pfSense Version 0.79.2 and my Virtual IPs are not functional. It's not possible to ping any Virtual Interface. Most important thing is to get the external IPs back to work. Because all of them should be forwarded to Webserver, Mailserver, ... Expected behaviour. ProxyARP doesn't create another IP address on the firewall, it just replies to the upstream router with an arp reply when queried for that IP. As has been suggested, do a 1:1 NAT, or Port Forward the ICMP to the appropriate server (rules permitting). Alternately, use CARP - it'll create an interface with that IP so the firewall will respond (rules permitting). --Bill - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] Virtual IPs not working
Chris Buechler schrieb: [...] It looks like the virtual IPs are not existing. If I try to ping e.g. 192.168.3.1 I get Destination Host Unreachable. From the firewall itself? I don't think that'll work (due to loopback issues). If traffic passes in and out just fine, as intended, then you're set. With ping directly from the Firewall itself I got a response like that: --- snip --- # ping -c 5 192.168.3.1 PING 192.168.3.1 (192.168.3.1): 56 data bytes 64 bytes from 192.168.3.1: icmp_seq=0 ttl=253 time=69.730 ms 64 bytes from 192.168.3.1: icmp_seq=1 ttl=253 time=124.443 ms 64 bytes from 192.168.3.1: icmp_seq=2 ttl=253 time=67.473 ms 64 bytes from 192.168.3.1: icmp_seq=3 ttl=253 time=170.599 ms 64 bytes from 192.168.3.1: icmp_seq=4 ttl=253 time=144.830 ms --- 192.168.3.1 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 67.473/115.415/170.599/40.933 ms --- snap --- The response is definitely not from the FW. With traceroute I can trace this response back to a host inside the LAN of my ISP. :-( From a host inside my LAN I got this response: --- snip --- [EMAIL PROTECTED]:~ ping -c 5 192.168.3.1 PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data. From 192.168.3.2: icmp_seq=2 Destination Host Unreachable From 192.168.3.2 icmp_seq=2 Destination Host Unreachable From 192.168.3.2 icmp_seq=3 Destination Host Unreachable From 192.168.3.2 icmp_seq=4 Destination Host Unreachable From 192.168.3.2 icmp_seq=5 Destination Host Unreachable --- 192.168.3.1 ping statistics --- 5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4000ms, pipe 3 --- snap --- 192.168.3.2 is the IP of my LAN Host. But if I try to setup the virtual IP manualy I get this: # ifconfig rl1 inet 192.168.3.1 netmask 255.255.255.0 alias That's not how virtual IP's work. There are no aliases, it's all proxy ARP'ed in some fashion and handled that way. When you bind IP's to the box like that, the services running on it also tend to want to bind to those IP's, and the whole thing becomes a big mess (not to mention potentially opening up more access to your firewall than you intend). Okay I believe you, but what can I do to solve my Problem with my three LAN subnets: 192.168.0.0/24 (main), 192.168.3.0/24 and 192.168.101.0/24. All of them are located on the same physical interface and in this moment it is not possible to join the subnets. Is there a way to handle that configuration? Regards Bastian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
