Welcome, Guest. Please login or register.
Did you miss your activation email?
+  pfSense Forum
|-+  pfSense English Support» CARP/VIPs» SOLVED: VIP reachable from OPT1 but not from LAN via OPT1-adress
Username:
Password:
 
Home Help Search Login Register
 

Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: SOLVED: VIP reachable from OPT1 but not from LAN via OPT1-adress  (Read 1432 times)
0 Members and 1 Guest are viewing this topic.
Razorblade
Newbie
*
Offline Offline

Posts: 3


View Profile
« on: January 29, 2008, 03:59:57 am »
Hi there,

I'm currently setting up a new firewall with pfsense to replace the old one.

I have the following setup:


WAN -----------|
                      |-----------------LAN
OPT1-----------|

fxp0 = LAN = 10.0.0.1
ste0 = WAN = 10.0.10.10, Gateway 10.0.10.1
ste1 = OPT1 = 10.0.20.10

The VIP is 10.0.20.20 which is nated to 10.0.0.254, where a webserver is running on port 80.

If I'm doing "telnet 10.0.20.20 80" on a host within the OPT1 net it's getting a connection to the webserver. If I'm doing "telnet 10.0.0.254" from a host within LAN I also get a connection.
The problem starts when I try to connect from LAN to 10.0.20.20 since no data reaches the host behind 10.0.20.20. I ran wireshark on it and in this case no data was received at all.

NAT:
OPT1   TCP   80(HTTP)   10.0.0.254(ext. 10.0.20.20)   80(HTTP)

Firewall rules:

LAN
Pass   *   Lan net   *   *   *   *   

WAN
Block   *   RFC1918 networks   *   *   *   *

OPT1
Pass   TCP   *   *   10.0.0.254   80(HTTP)   *

One more weird thing is, that if I ty to connect from LAN via the VIP, the firewall logs that the access was permitted and I can't find any log (currently logging for alle rules is enabled), which says, that the answer was blocked. Even though wireshark on 10.0.0.254 doesn't log any incoming or outgoing data from or to 10.0.20.10.

From my point of view my setup should be correct. Maybe I think wrong, but that was the idea:

"telnet 10.0.20.20 80" from 10.0.0.x:
10.0.0.x -> 10.0.20.10 -> 10.0.20.20 -(dnat)-> 10.0.0.254 -(snat)-> 10.0.20.20 -> 10.0.20.10 -> 10.0.0.x (happy) 

Since everything is happening on OPT1-adresses the WAN-Interface shouldn't be involved at all (I think of wrong routing).

One more thing I realized was, that a traceroute from pfsense to the VIP fails.

Maybe one of you can tell me, how I can get this done. If you need more information, just ask.

Greetings,
D.

Edit:
Here's the routing table
default    10.0.10.1    UGS    0    1    1500    ste0    
127.0.0.1    127.0.0.1    UH    0    8    16384    lo0    
10.0.0       link#5    UC    0    1    1500    fxp0    
10.0.0.3    00:04:76:9e:83:6a    UHLW    1    2985    1500    fxp0    1200
10.0.20    link#2    UC    0    11    1500    ste1    
10.0.20.20    link#2    UHLW    1    0    1500    ste1    
10.0.10.0/24    link#1    UC    0    0    1500    ste0    
10.0.10.1    00:1c:58:ee:dd:44    UHLW    2    10    1500    ste0    1168

And I found the following within "states" when trying to connect from LAN via telnet to the VIP:
tcp     10.0.20.20:80 <- 10.0.0.3:51331     CLOSED:SYN_SENT
tcp    10.0.0.3:51331 -> 10.0.20.20:80    SYN_SENT:CLOSED

10.0.0.3 is the client I'm doing the connect from.

Solution: After disabling "Disable NAT Reflection" under "System -> Advanced" it finally worked  Cheesy
« Last Edit: January 29, 2008, 04:27:11 am by Razorblade » Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

 

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Page created in 0.024 seconds with 19 queries.