Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Kernel: arp_rtrequest: bad gateway (and not just cosmetics..)

    Scheduled Pinned Locked Moved NAT
    7 Posts 2 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      bruno
      last edited by

      hello,
      after spending the whole morning in fine-tuning and successfully setting up a 1:1 NAT for a DMZ ftp host with a CARP VIP on WAN (for ftp-helper compatibility), I had to reboot the firewall, and since then I couldn't bring it back working.

      I can just see connections are blocked (10.30.14.79 is the host in DMZ)

      Proto    Source -> Router -> Destination    State   
      tcp 87.17.243.229:1275 -> 10.30.14.79:21 SYN_SENT:CLOSED
      tcp 10.30.14.79:21 <- CARP_VIP_IP:21 <- 87.17.243.229:1275 CLOSED:SYN_SENT

      The only error in the log (which never appeared before rebooting) is

      kernel: arp_rtrequest: bad gateway CARP_VIP_IP (!AF_LINK)

      traffic from WAN is enabled for * to 10.30.14.79:21 and pasv port range :5000-5499
      tried deleting VIP and recreating, changing CARP vhid (who knows), changing VIP IP to another free IP I have, deleting all rules, deleting and recreating NAT 1:1, rebooting.. nothing, still cannot connect to VIP.

      thanks.

      1 Reply Last reply Reply Quote 0
      • H Offline
        hoba
        last edited by

        The ARP message is cosmetic and can be ignored. It's always there when using CARP. Maybe your upstream device is having issues with it's ARP-cache. Try rebooting it.

        1 Reply Last reply Reply Quote 0
        • B Offline
          bruno
          last edited by

          just noticed with ps aux | grep pftpx I have no ftp helper running for WAN address (the one where I created a VIP), while it's enabled in the interface properties page (checkbox not selected). don't know if I had it running before when all was ok.

          does that mean something..?

          1 Reply Last reply Reply Quote 0
          • B Offline
            bruno
            last edited by

            @hoba:

            The ARP message is cosmetic and can be ignored. It's always there when using CARP. Maybe your upstream device is having issues with it's ARP-cache. Try rebooting it.

            ok, will try it tomorrow, I'm far away from the ISP router at the moment.
            thanks

            1 Reply Last reply Reply Quote 0
            • H Offline
              hoba
              last edited by

              This is a ftp server? You should start over und use the correct procedure:

              • delete all firewallrules and nat rules that you have created for this server
              • Create a CARP VIP
              • enable the ftphelper at interface WAN
              • create a portforward for the CARP VIP port 21 only

              The ftphelper should now work and also take care of the passive port range of the server. No reason to forward that range manually now.

              1 Reply Last reply Reply Quote 0
              • B Offline
                bruno
                last edited by

                hoba, you fixed that all once again.  ;)
                don't know why it ever broke, but now it works, without forwarding anything but port 21.

                thank you very much!

                1 Reply Last reply Reply Quote 0
                • H Offline
                  hoba
                  last edited by

                  :)

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.