Re: [pfSense] [Bulk] Re: Multiple static IPs from one ISP - Virtual IPs? - Trying this again

Mon, 03 Mar 2014 12:41:29 -0800

To allow traffic to 'hit' pfSense services that are available on the wan you don't need port forward rules. 
Only creating firewall rules should suffice for that.

Only if your running 2 machines for failover, it makes sense to use CARP.
If you want to be able to ping pfSense or run services on pfSense itself that use the secondary ip's then make them 'IP-Alias' Otherwise you might also give proxy-arp a try..
After that you can either use portforwards or 1on1 natting to make webservers and other devices reachable by those ip addresses. Which still also require firewall rules to allow traffic. (portforwards automatically create them if you allow it to, 1on1 does not..) 

Greets PiBa

Bryan D. schreef op 3-3-2014 21:29:

Is the VIP CARP or IP Alias?

... according to the VIP capabilities chart, they're the only VIP kinds that 
can do ICMP:
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses?

Since we don't allow ping-response, I thought I'd test this theory.  All 3 of 
the following worked (LAN routing to internal system was previously setup):

- I first created a Port Forward rule to allow pfSense to respond to WAN pings:
WAN  ICMP  *  *  WAN address  *  127.0.0.1  *  WAN pings to pfSense

- Then I created a Port Forward rule to allow pfSense to respond to pings on 
one of the static VIP IPs:
WAN  ICMP  *  *  x.12  *  127.0.0.1  *  static VIP pings to pfSense

- Then I created a Port Forward rule to allow an internal system (which has a 
system-level firewall that's configured to respond to pings) to respond to the 
ping:
WAN  ICMP  *  *  x.13  *  x.206  *  static VIP pings to internal system


If that's not it, then someone else needs to chime in as you've exhausted my 
knowledge in this area.


On 2014-Mar-03, at 7:59 AM, Ryan Coleman <ryanjc...@me.com> wrote:


I’ve done this, but I won't route traffic out (NAT) until I have verifiable 
traffic coming in.

The x.2 IP simply will not ICMP ping from outside the network (and, yes, I have 
it allowed).

_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list



_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Reply via email to