On Wed, Feb 15, 2012 at 8:57 PM, Jason T. Slack-Moehrle <[email protected]> wrote: > HI Yehuda; > >> On Wed, Feb 15, 2012 at 8:04 PM, Jason T. Slack-Moehrle >> <[email protected] (mailto:[email protected])> wrote: >> > Hi All, >> > >> > My struggle continues. >> > >> > So basically: >> > 1. I have 5 IP's from Comcast in a /29. >> > 2. I want my firewall assigned 75.149.xx.25 but want it to answer for my >> > entire /29. >> > 3. Create a 1:1 NAT for each public IP except .25. (so .26, .27, .28, .29, >> > etc) >> > 4. Open Port 80 (and a few others) to .27 (the only IP I am using as of >> > today) >> > >> > Here are screen shots of what I have so far: >> > >> > http://6colors.net/1-to-1_nat.png >> > http://6colors.net/alias_list.png >> > >> > >> > http://6colors.net/interfaces.png >> > >> > >> > http://6colors.net/outbound_nat.png >> > >> > >> > http://6colors.net/virtual_ips.png >> > >> > >> > http://6colors.net/wan_rules.png >> > >> > >> > >> > Can anyone shed some light on what is going on? I just cannot simply get >> > to the server after doing this. >> > >> We had a similar issue on Verizon. We allowed all ICMP PINGas through the >> firewall and tried to ping each address. The primary (assigned to the >> pfsense) responded and the others did not. It seems that the pfSense was not >> properly picking up the ARP requests unless is was the primary IP. (We did >> some other testing by connecting a computer to act as a packet sniffer in >> between the NOC and the pfSense. We never got around to figuring out why it >> did not work, since we found a workaround.) >> We "solved" the problem by setting the primary interface IP to each of our >> IPs in turn and pinged it and then fixing the Virtual IP configuration. >> We only had to do that once and it has run fine ever since. > > I dont follow what this means exactly and how to test this on my setup to see > if it solves my problem. >
It means use IP aliases instead of proxy ARP VIPs. In some circumstances, with some upstream ISP equipment, proxy ARP is inadequate but IP aliases work fine. At times that's because only IP aliases force the upstream ARP cache to wake up and update (though usually it requires a time out) and the IPs were previously used on something else. _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
