Re: [pfSense Support] Virtual IPs not working

[Scott Ullrich]

You cannot ping proxy-arp'd ips unless there are 1:1 NAT setup.

Is this how your forwarding or using port forward?

Scott


On 8/22/05, Bastian Schern [EMAIL PROTECTED] wrote:
 Hi,
 
 I'm using pfSense Version 0.79.2 and my Virtual IPs are not functional.
 
 --- snip ---
 virtualip
 vip
 modeproxyarp/mode
 interfacewan/interface
 descrWAN Subnet/descr
 typenetwork/type
 subnet_bits28/subnet_bits
 subnet213.191.xxx.xxx/subnet
 /vip
 vip
 modeproxyarp/mode
 interfacelan/interface
 descrPrivate LAN/descr
 typesingle/type
 subnet_bits32/subnet_bits
 subnet192.168.3.1/subnet
 /vip
 vip
 modeproxyarp/mode
 interfacelan/interface
 descrAH-P LAN/descr
 typesingle/type
 subnet_bits32/subnet_bits
 subnet192.168.101.1/subnet
 /vip
 /virtualip
 --- snap ---
 
 It's not possible to ping any Virtual Interface. Most important thing is
 to get the external IPs back to work. Because all of them should be
 forwarded to Webserver, Mailserver, ...
 
 Regards
 Bastian
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Virtual IPs not working

[Bill Marquette]

On 8/22/05, Bastian Schern [EMAIL PROTECTED] wrote:
 Hi,
SNIP
 I'm using pfSense Version 0.79.2 and my Virtual IPs are not functional.
 It's not possible to ping any Virtual Interface. Most important thing is
 to get the external IPs back to work. Because all of them should be
 forwarded to Webserver, Mailserver, ...

Expected behaviour.  ProxyARP doesn't create another IP address on the
firewall, it just replies to the upstream router with an arp reply
when queried for that IP.

As has been suggested, do a 1:1 NAT, or Port Forward the ICMP to the
appropriate server (rules permitting).  Alternately, use CARP - it'll
create an interface with that IP so the firewall will respond (rules
permitting).

--Bill

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Virtual IPs not working

[Bastian Schern]

Chris Buechler schrieb:
[...]

It looks like the virtual IPs are not existing. If I try to ping e.g.
192.168.3.1 I get Destination Host Unreachable.



From the firewall itself?  I don't think that'll work (due to loopback
issues).  If traffic passes in and out just fine, as intended, then
you're set.



With ping directly from the Firewall itself I got a response like that:
--- snip ---
# ping -c 5 192.168.3.1
PING 192.168.3.1 (192.168.3.1): 56 data bytes
64 bytes from 192.168.3.1: icmp_seq=0 ttl=253 time=69.730 ms
64 bytes from 192.168.3.1: icmp_seq=1 ttl=253 time=124.443 ms
64 bytes from 192.168.3.1: icmp_seq=2 ttl=253 time=67.473 ms
64 bytes from 192.168.3.1: icmp_seq=3 ttl=253 time=170.599 ms
64 bytes from 192.168.3.1: icmp_seq=4 ttl=253 time=144.830 ms

--- 192.168.3.1 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 67.473/115.415/170.599/40.933 ms
--- snap ---

The response is definitely not from the FW. With traceroute I can 
trace this response back to a host inside the LAN of my ISP. :-(



From a host inside my LAN I got this response:
--- snip ---
[EMAIL PROTECTED]:~ ping -c 5 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
From 192.168.3.2: icmp_seq=2 Destination Host Unreachable
From 192.168.3.2 icmp_seq=2 Destination Host Unreachable
From 192.168.3.2 icmp_seq=3 Destination Host Unreachable
From 192.168.3.2 icmp_seq=4 Destination Host Unreachable
From 192.168.3.2 icmp_seq=5 Destination Host Unreachable

--- 192.168.3.1 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 
4000ms, pipe 3

--- snap ---

192.168.3.2 is the IP of my LAN Host.



But if I try to setup the virtual IP manualy I get this:

# ifconfig rl1 inet 192.168.3.1 netmask 255.255.255.0 alias



That's not how virtual IP's work.  There are no aliases, it's all
proxy ARP'ed in some fashion and handled that way.  When you bind IP's
to the box like that, the services running on it also tend to want to
bind to those IP's, and the whole thing becomes a big mess (not to
mention potentially opening up more access to your firewall than you
intend).



Okay I believe you, but what can I do to solve my Problem with my three 
LAN subnets: 192.168.0.0/24 (main), 192.168.3.0/24 and 192.168.101.0/24.
All of them are located on the same physical interface and in this 
moment it is not possible to join the subnets.

Is there a way to handle that configuration?

Regards
Bastian

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]