Advanced Oubound NAT ignoring rules
-
No, fill up alias with correct netmask.
-
Try it with a proxy arp. The alias is a standard FreeBSD interface alias, I would not use it in this case. You could also try CARP. For CARP, you do want the correct WAN interface netmask. Your netmask on the alias should have been fine, you don't want the WAN mask in that situation. Per the man page:
alias Establish an additional network address for this interface. This
is sometimes useful when changing network numbers, and one wishes
to accept packets addressed to the old interface. If the address
is on the same subnet as the first network address for this
interface, a non-conflicting netmask must be given. Usually
0xffffffff is most appropriate. -
For CARP and IPALIAS, you must use the network mask for your network. So if your WAN is a /26, then that is what you will need to use for your MASK for CARP and IPALIAS.
:) -
Here's an update-
On a hunch (I thought I had already tried this, but I guess not), I went into the interface assignment menu and reassigned my WAN interface to use the onboard NIC (some intel variant) instead of a dc* based card. It immediately began passing traffic. Is the ability to use IP aliases dependent on NIC drivers in some way? I also did not know that I was supposed to use the same CIDR for the aliases as I do for the WAN. I've always just set aliases as a /32, and since that made sense to me and also seemed to function the same, I never thought about it. I switched that also. Now, all the aliases are /27 like my WAN interface address.
I didn't change any rules or anything when it started functioning. I simply swapped interfaces. Really strange- I tore my hair out over it all day, and I don't know why I didn't think to check the hardware, other than the fact that every one of the NICs in this box came out of other working boxes, and the one that "didn't work" came from another PFsense box where it was humming along happily. No ideas what is really going on there.
So, since I'm rather convinced at this point that it is hardware related, I'd like to know what you all use NIC wise and maybe there's a certain NIC that has the best support by BSD or maybe just what people have had luck with. At this point, I'm running with just cards I had sitting around, but I'd like to put all gigabit interfaces in it. I thought about just cruising craigslist and ebay for used intel gig nics. Will (4) gig cards be able to do wirespeed on a 2.6 Xeon with 4 gb ram?
-
Personally I run intel nics. They seem to do the best. On occasion, I run the realtek (when it comes on board), but I don't prefer them. I try to stay away from netgear. All the ones I have ever used just failed. (personal experience only). The old 3c905x line of 3com nics seemed to be a mixed bag. Most worked, but some are old and I don't know whether or not it was age or compatibility.
-
For CARP and IPALIAS, you must use the network mask for your network. So if your WAN is a /26, then that is what you will need to use for your MASK for CARP and IPALIAS.
:)This is correct for CARP, but not for an alias on the same subnet as the Interface. Please look at the man page I quoted above.
-
This man you found is from what freebsd version?
Somewhere in this forum, cmb or jimp told me that alias with /32 netmask is not recommended any more.
I use ip alias as well CARP with correct netmask with no issues.
-
It hasn't changed in quite some time. Here is the 8.1 man:
http://www.freebsd.org/cgi/man.cgi?query=ifconfig&apropos=0&sektion=0&manpath=FreeBSD+8.1-RELEASE&arch=default&format=htmlI got bit by this years back when I was building FreeBSD 4.x firewalls. I haven't used alias IPs in pfSense very much, in 1.x, it required hacking, so I only used them when I had to run different subnets on the same wire. So, truthfully I haven't tried alias IPs on the same subnet for years, but I'd guess they operate the same. Just curious, but what would be the advantages of using an alias to add an IP within the existing WAN subnet over proxy-arp, CARP, etc?
-
First, if you look in the examples, they are using the same subnet mask as the interface. Try it, I bet it will work.
As for any advantages, I don't really know of any. Perhaps someone who uses it more can comment on that. Personally, I see more advantage in CARP. Even if you don't plan on clustering, you might later on. ProxyARP also works better in some situations, especially when you have IPs in different subnets.
-
For IP aliases you can use either /32 or the actual mask on that network, doesn't matter either way if there is another IP on that subnet on the system. If that's the only IP in that subnet on the system, then it must have the actual mask you're using for that network.