Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Virtual IP ARP entry spoofing - is it possible?

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 980 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      shaunj
      last edited by

      My setup is as follows:

      ISP_Router_(IF:x.x.x.1)–--(IF:x.x.x.5)_pfSense(VM)_GREEN_LAN(IF:y.y.y.5)----Switch----Internal_Devices

      I have a virtual IP configured on pfSense as x.x.x.12 and a Port Forward rule sending all traffic from x.x.x.12:443 -> y.y.y.202:443

      This worked find until I upgraded to Fibre and the ISP changed my router. Having snooped the traffic on the WAN interface of the pfSense I can see what the issue is but am unsure how to proceed.

      The old ISP router was able to forward traffic to the VIP (x.x.x.12) using IP address.

      The new router (HG633) seems to only be able to forward to MAC address. I have confirmed this snooping the WAN interface and can see the external traffic being targeted at the x.x.x.5 (WAN) interface not the x.x.x.12 (VIP) interface.

      Is it possible to setup a VIP with an alternate (spoofed?) ARP address. I've looked around the GUI and tried various VIP types but there doesn't seem to be an option.

      If anyone has any ideas it would be much appreciated. 'Talking' to the ISP is proving challenging.

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        CARP IPs use virtual MACs. That's usually what people do in that circumstance.

        1 Reply Last reply Reply Quote 0
        • S
          shaunj
          last edited by

          Thanks for the response. I'm not sure how this helps. I've looked at CARP settings and configurations and I'm unable to work out what needs to be done. If you have an example you can share I would appreciate it.

          Thanks
          Shaun

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            It's automatic, the MAC of the CARP IP is determined by its VHID.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.