Virtual IP + Nat Rules = Unhappy Amazon Devices

Networking & Firewalls
1

Hi,
So I followed the multiple Static WANs to virtual IP Nat video attempting to forward one of my statics to a Virtualmin Webserver in my DMZ Vlan. However when I do all my amazon devices on a different Vlan wont talk out. I am assuming its because it uses the same ports but I thought those rules would only trigger on the virtual IP and not effect my primary PFsense static IP.

Any ideas? Anyone ever see something like this with amazon devices? Is there an easier way to do this?

net ip issue
net ip issue1074×543 71.6 KB

2

First issue I see is that your VLAN 11 is not part of the RFC 1918 space
RFC 1918 - Address Allocation for Private Internets

10.0.0.0        -   10.255.255.255  (10/8 prefix)
172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

As for port forwarding on the Virtual IP for the other devices, use pftop to determine what connections that are attempting and that will help you determine what is failing.

3

Oh good call, I’ll fix the IPs to prevent whatever trouble that might cause. And I’ll give the pfTop idea a try, I am not the most handy with it yet but am working on it. Thanks for the suggestions, and thanks for all the videos!

1 Like
4

Shouldn’t that be
10.x.x.x /8
172.x.x.x /16
192.168.x.x /24

5

Nope,

  • 10.x.x.x is 8
  • 172.x.x.x would also be 8 but the range is actually 172.16.x.x - 172.31.255.255 so only 4 bits of the second octet are used for the network address, this has caught me out on a couple of occasions when I’ve used something above 172.32.x.x and random things have gone wrong, google (legitimately) use some of that range
  • 192.168.x.x is 16, 192.168.1.x would be 24

(the above is supposed to be informative and not condescending I hope it comes over that way!)

6

No offense taken, I was wondering if it was something like that.