To allow traffic to 'hit' pfSense services that are available on the wan
you don't need port forward rules.
Only creating firewall rules should suffice for that.
Only if your running 2 machines for failover, it makes sense to use CARP.
If you want to be able to ping pfSense or run services on pfSense itself
that use the secondary ip's then make them 'IP-Alias' Otherwise you
might also give proxy-arp a try..
After that you can either use portforwards or 1on1 natting to make
webservers and other devices reachable by those ip addresses. Which
still also require firewall rules to allow traffic. (portforwards
automatically create them if you allow it to, 1on1 does not..)
Greets PiBa
Bryan D. schreef op 3-3-2014 21:29:
Is the VIP CARP or IP Alias?
... according to the VIP capabilities chart, they're the only VIP kinds that
can do ICMP:
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses?
Since we don't allow ping-response, I thought I'd test this theory. All 3 of
the following worked (LAN routing to internal system was previously setup):
- I first created a Port Forward rule to allow pfSense to respond to WAN pings:
WAN ICMP * * WAN address * 127.0.0.1 * WAN pings to pfSense
- Then I created a Port Forward rule to allow pfSense to respond to pings on
one of the static VIP IPs:
WAN ICMP * * x.12 * 127.0.0.1 * static VIP pings to pfSense
- Then I created a Port Forward rule to allow an internal system (which has a
system-level firewall that's configured to respond to pings) to respond to the
ping:
WAN ICMP * * x.13 * x.206 * static VIP pings to internal system
If that's not it, then someone else needs to chime in as you've exhausted my
knowledge in this area.
On 2014-Mar-03, at 7:59 AM, Ryan Coleman <ryanjc...@me.com> wrote:
I’ve done this, but I won't route traffic out (NAT) until I have verifiable
traffic coming in.
The x.2 IP simply will not ICMP ping from outside the network (and, yes, I have
it allowed).
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list