Hi Steve,
Am 24.05.2011 um 13:20 schrieb Steve Haavik: >> I'm currently failing in reaching any of the VMs via their interfaces >> connected to the 1.2.3.128/25. I've configured firewall rules to allow ICMP >> echo requests as well as TCP ports 80 and 443 for destinations in that >> subnet on the WAN interface. I can see that traffic is blocked when I >> disable these rules and is passed if I leave them enabled. If I do an HTTP >> request, I see CLOSED:SYN_SENT/SYN_SENT:CLOSED in pfSense's "Diagnostics: >> Show States". > > I've done a few setups like this. Make sure you have rules allowing the > return traffic from OPT to WAN. To make sure you aren't getting bit by your > webserver virtual machine routing the return traffic out the other interface > (I don't know, it could happen...) try to setup a vm that only connects to > vswitch2 and see if you have the same problem. Can you ping the vm from the > firewall? Try pinging from each interface on the firewall. > > If you can ping it fine when it's only connected to one vswitch, but not when > you add the second interface to the vm it's probably a routing issue on the > vm. Do you have default routes set for both interfaces on the webserver? If > you do "netstat -rn" you should see entries for both interfaces. Something > like this: > > Destination Gateway Genmask Flags MSS Window irtt Iface > 0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth0 > 0.0.0.0 1.2.3.129 0.0.0.0 UG 0 0 0 eth1 that was the missing hint in the right direction – problem solved! Indeed the return traffic had been sent through eth0, even if it originally arrived through eth1. The solution was to create a custom routing table as described on Darien Kindlund's blog: http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/ root@test:~# echo "1 ssl_sites" >> /etc/iproute2/rt_tables root@test:~# ip route add 1.2.3.128/25 dev eth1 src 1.2.3.150 table ssl_sites root@test:~# ip route add default via 1.2.3.129 dev eth1 table ssl_sites root@test:~# ip rule add from 1.2.3.150/32 table ssl_sites root@test:~# ip rule add to 1.2.3.150/32 table ssl_sites Thank you all for your tremendous support! Andreas --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org