[pfSense] 1:1 NAT - Packets not leaving WAN interface
Hello all, Objective - Connect to services from the Internet hosted on an internal server assigned an RFC1918 address. pfSense version 2.4.2-RELEASE-p1 I have followed the instructions listed here - h_t_t_p_s:// doc.pfsense.org/index.php/1:1_NAT [Setup] Firewall > Rules > WAN protocol, source, port, destination, port, gateway, queue IPv4, *, *, 192.168.1.10, *, *, none, Firewall > NAT > 1:1 Interface, External IP, Internal IP, Destination IP WAN, , 192.168.1.10, * Problem: Packets returning from 192.168.1.10 stop at the 192.168.1 LAN side of the pfSense server never leaving the WAN side. [TEST] Internet Test Server initiates an SSH connection to the CARP VIP: ssh Packet Trace: [TCPDUMP on the 192.168.1.10 Server] - SYN, SYN ACK 06:53:24.130161 IP .36896 > 192.168.1.10.22: Flags [S], seq 650597210, win 29200, options [mss 1460,sackOK,TS val 953815939 ecr 0,nop,wscale 7], length 0 06:53:24.130227 IP 192.168.1.10.22 > .36896: Flags [S.], seq 1752400391, ack 650597211, win 28960, options [mss 1460,sackOK,TS val 20074848 ecr 953815939,nop,wscale 7], length 0 [TCPDUMP on the pfSense Server LAN side (em2)] - SYN, SYN ACK 06:53:25.351889 IP .36896 > 192.168.1.10.22: Flags [S], seq 650597210, win 29200, options [mss 1460,sackOK,TS val 953815939 ecr 0,nop,wscale 7], length 0 06:53:25.353085 IP 192.168.1.10.22 > .36896: Flags [S.], seq 1752400391, ack 650597211, win 28960, options [mss 1460,sackOK,TS val 20074848 ecr 953815939,nop,wscale 7], length 0 [TCPDUMP on the pfSense Server WAN side (em1)] - SYN 06:53:25.351739 IP .36896 > .22: Flags [S], seq 650597210, win 29200, options [mss 1460,sackOK,TS val 953815939 ecr 0,nop,wscale 7], length 0 Problem Note: Packets are not getting forwarded from the LAN interface out the WAN interface Thanks in advance, JD ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Maximum CARP Addresses?
On Fri, Feb 16, 2018 at 1:20 AM, Chris L <c...@viptalk.net> wrote: > On Feb 15, 2018, at 11:35 AM, ad^2 <adsquai...@gmail.com> wrote: > > > > Hello all, > > > > I read in the forum (h_t_t_p_s://forum.pfsense. > org/index.php?topic=109346.0) > > the 255 VHID limitation in CARP is no longer an issue in recent > versions. I > > cannot find any documentation to support it. > > > > I have a need to host a lot more than 255 virtual IP addresses. > > > > Can someone confirm or deny this. If it's true point me to the > > documentation that states this. If not, is there a way around it? > > > > Thanks in advance, > > > > jimp was referring to the requirement that a CARP VIP must be contained in > the same subnet as the interface address. Removal of that > requirement/limitation is what changed. > > The VHID is 8 bits and you can’t use 0 so 1-255. > > As discussed there, make IP Alias VIPs and assign them to CARP VIPs. They > will go up and down with CARP MASTER/BACKUP status and will result in no > additional multicast traffic per VIP. Try it I think you’ll like it. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > Ok I understand. What are the limitations here? How many aliases can be stacked on one CARP VIP? Is anyone out there running +255 VIPs? My implementation will required at least 500 floating IPs right away. Thanks, JD ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Maximum CARP Addresses?
Hello all, I read in the forum (h_t_t_p_s://forum.pfsense.org/index.php?topic=109346.0) the 255 VHID limitation in CARP is no longer an issue in recent versions. I cannot find any documentation to support it. I have a need to host a lot more than 255 virtual IP addresses. Can someone confirm or deny this. If it's true point me to the documentation that states this. If not, is there a way around it? Thanks in advance, JD ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold