]> pfSense ping Virtual IP 🌐:aligrant.com

pfSense ping Virtual IP

Alastair Grant | Tuesday 11 November 2014

I'm currently trying out pfSense as a virtual firewall/router. I have to say I'm rather impressed! I have been planning to take a look at it for some time, it has a solid following and the press is nothing but good. I felt though it might be bit of a plunge that I didn't have time for and, being fully featured, a pain to get configured just right. It clearly has a corporate focus unlike things like DD-WRT that are clearly more domestically focused.

The reason I finally gave it a go was I was having trouble getting openSUSE to make a PPPoE connection to my broadband modem - I was trying to see if it would work through a virtual switch. As a last ditch attempt I thought I'd try pfSense to rule out the software - it worked straight away, in fact it was very easy to setup, so easy in fact I decided to stick with it.

I was pleasantly surprised at the level of detail in the on-screen notes. Where you often have a box with a TLA that only hardened professionals know what to enter, pfSense does an excellent job of hinting you if you're unsure. It is vastly more configurable and extensible that I thought and easily provides the minimal functionality I got out of DD-WRT. It has far better UI support for some of the more convoluted networking things, which on DD-WRT resulted in having to write the commands by hand.

There is only one thing that got me stuck and that is how to handle a block of IP addresses on the WAN interface. I have a small /29 block of IP addresses that I want to serve up through the same firewall. But using PPPoE, only the default address is assigned. This is easily solved, but to get things working just right, you have to be a bit picky. Virtual IP can be easily configured, but the trick is to add each IP address explicitly as its own IP alias, and not use any network blocks or the like.

Once they've been added as IP aliases you can continue on your merry way, selecting them from the destination list when wanting to use NAT. The only problem I had was with ICMP and pings. Often best practice is to not have your Internet connected devices respond to anything, this though is often sometimes far from practical. So I wanted to allow pings to work. Adding in a firewall rule to allow it worked fine for my default WAN address but not for any of the VIPs. A search of the net and a trawl of IRC didn't help. In the end I ran a packet capture whilst pinging a VIP externally, it showed that the pings were coming in but the response was going back out from the default address and not the address of the VIP. Which meant nothing married up.

The fix then is quite simple and that is to add a NAT for all ICMP traffic on each of the VIPs to go to the default external WAN address. NATting takes care of address translation so when the response is sent back, it appears to be coming from the VIP instead of the WAN address.

Hope this helps somebody.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.