Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Extra public IPs not working

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 935 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SyrusDH
      last edited by

      I may be having the same (or a similar) issue. Running nanoBSD pfSense 2.2.3 64-bit.

      Have Verizon Business Fios with a block of 5 static IPs.

      I have 3 of them pointed at 3 servers in my DMZ (172.19.69.0/24) using 1:1 NAT.
      (nat.png)

      I have a WAN firewall rule that allows traffic to the DMZ…
      (wan.png)

      ...and a DMZ firewall rule that allows traffic to anything except the LAN.
      (dmz.png)

      This exact configuration (different ISP and IPs) works at my office.  However, here at my house, it isn't working.
      I can access the servers in the DMZ (172.19.69.0/24) directly from my LAN (10.19.69.0/24).
      I can access the public static IPs from my LAN successfully using NAT reflection.
      But there's no response at all when accessing the public static IPs from the outside world.
      I tried running a packet capture on the public static IPs from the WAN interface, but it doesn't show any packets captured.

      The weirdest part is that I can plug my laptop directly into the fiber ONT (bypassing pfsense) and talk successfully on any of the public static IPs.  Any ideas?
      nat.png
      nat.png_thumb
      wan.png
      wan.png_thumb
      dmz.png
      dmz.png_thumb

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Split this into its own topic. It sounds like the same root cause in that your modem/next hop router isn't sending you the traffic, but there are a wide range of reasons that could occur.

        Did you add IP alias type virtual IPs for the public IPs? I'm guessing that's probably not the issue given you see nothing at all on WAN for those IPs, and without VIPs you'd see repeated ARP requests for those IPs and it sounds like that's not the case.

        Since you plugged in another device on those IPs, your Fios modem/router likely is hanging onto those MACs. Power cycling it, after disconnecting anything else with those public IPs assigned, likely will suffice.

        1 Reply Last reply Reply Quote 0
        • S
          SyrusDH
          last edited by

          After a good night's rest, I actually came to the same conclusion.

          And you're absolutely right, it was the virtual IPs.  :)  Problem is solved! Thanks!

          Additional observations:
          Strangely enough, at my work on a different ISP, the virtual IPs weren't required (which is what is most confusing about this config).
          Even stranger is that I plugged my laptop into the WAN my older cisco router (that was working), pinged the public static IPs, then checked the ARP table only to find that all static IPs had the same MAC address…very strange.  I don't understand how that worked.
          Anyway, color me slightly confused, but I'm grateful that the current pfSense box is working.

          virtual-ips.png
          virtual-ips.png_thumb

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Whether or not VIPs are required depends on your ISP's setup. If they're routing them to you, no need for VIPs. Where you must answer ARP on them, you must have a VIP type that answers ARP. Where you have multiple aliases on the same device, they all show up as the same MAC. Outside of circumstances like CARP, VRRP, and HSRP that use virtual MACs, there is only one MAC on a given interface and all the IPs on that interface use it.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.