I should have said 1. add virtual ip (am I supposed to beable to select the cidr? it greys out and is set to /32) 2. add NAT: Port Forwarding entry using WAN, the virtual ip in step 1, tcp, from 80, my servers private ip, local port 80, checked auto add firewall rule. 3. reverified that virtual ip, nat and rule entries are all present.
ok it works this time.. the difference? bug :) if you click proxy arp and then click CARP it gives you a ungreyed CIDR drop down. I set it to /27 which is what my firewalls WAN interface is set to (and it must have accepted it). If you DON'T set the CIDR it works fine. atleast thats what I think happened. another possible bug. when adding new interfaces with by clicking the + on the assign screen the firewall webgui times if you don't wait several seconds before attempting to click another + to add another interface. ----- Original Message ----- From: "Bill Marquette" <[EMAIL PROTECTED]> To: "Matthew Lenz" <[EMAIL PROTECTED]> Cc: "pfsense" <[email protected]> Sent: Wednesday, July 27, 2005 3:13 PM Subject: Re: [pfSense-discussion] multipe ips on the wan interface? On 7/27/05, Matthew Lenz <[EMAIL PROTECTED]> wrote: > say I want to have multiple ip's on the wan interface so that I can forward > http/https for one public ip to a private ip behind the firewall and > smtp/imap on a different public ip to a another private ip behind the > firewall. I thought this was what the virtual ip functionality is for. Yup, that's what it's for. > I added a virtual ip using the WAN interface (using proxy arp cuz it was the > default) and used a public ip thats available on the same subnet that the > firewall's wan ip is on So far, this sounds right. > and forwarded port 80 to the private ip of my server's port 80. Port forwarding? > ( I've got outbound nat enabled for the time being for > this private subnet and all the machines, including the server, on the > private subnet can get to the internet just fine. ) Shouldn't matter. > I checked the 'auto add > firewall rule' checkbox and clicked save. Everything looks cool but when I > attempt to access that ip on port 80 from a remote internet site I don't get > anywhere. Should have worked. It does take a second or two for rule changes to apply, but this should have worked like a charm. > Was this not the procedure I was looking for? Do I instead have to create > an 'interface' for each public ip and use the same ethernet device for each? Nope, what you did sounds right. --Bill
