On Mar 3, 2014, at 2:41 PM, PiBa <[email protected]> wrote: > To allow traffic to 'hit' pfSense services that are available on the wan you > don't need port forward rules. > Only creating firewall rules should suffice for that. That’s not what I’m trying to do, but thanks. The only item I’m attempting so far is a ping; after that everything comes from behind the firewa..
> Only if your running 2 machines for failover, it makes sense to use CARP. > > If you want to be able to ping pfSense or run services on pfSense itself that > use the secondary ip's then make them 'IP-Alias' Otherwise you might also > give proxy-arp a try.. > > After that you can either use portforwards or 1on1 natting to make webservers > and other devices reachable by those ip addresses. Which still also require > firewall rules to allow traffic. (portforwards automatically create them if > you allow it to, 1on1 does not..) > > Greets PiBa > > Bryan D. schreef op 3-3-2014 21:29: >> Is the VIP CARP or IP Alias? >> >> ... according to the VIP capabilities chart, they're the only VIP kinds that >> can do ICMP: >> https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses? >> >> Since we don't allow ping-response, I thought I'd test this theory. All 3 >> of the following worked (LAN routing to internal system was previously >> setup): >> >> - I first created a Port Forward rule to allow pfSense to respond to WAN >> pings: >> WAN ICMP * * WAN address * 127.0.0.1 * WAN pings to pfSense >> >> - Then I created a Port Forward rule to allow pfSense to respond to pings on >> one of the static VIP IPs: >> WAN ICMP * * x.12 * 127.0.0.1 * static VIP pings to pfSense >> >> - Then I created a Port Forward rule to allow an internal system (which has >> a system-level firewall that's configured to respond to pings) to respond to >> the ping: >> WAN ICMP * * x.13 * x.206 * static VIP pings to internal system >> >> >> If that's not it, then someone else needs to chime in as you've exhausted my >> knowledge in this area. >> >> >> On 2014-Mar-03, at 7:59 AM, Ryan Coleman <[email protected]> wrote: >> >>> I’ve done this, but I won't route traffic out (NAT) until I have verifiable >>> traffic coming in. >>> >>> The x.2 IP simply will not ICMP ping from outside the network (and, yes, I >>> have it allowed). >> _______________________________________________ >> List mailing list >> [email protected] >> http://lists.pfsense.org/mailman/listinfo/list >> > > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
