DMZ Setup from RG to pfsense for WAN - ARP conflicts?
I recently had AT&T Gigapower installed at my home about 2 weeks ago and wanted to continue using my pfSense setup. AT&T makes a bit more difficult than Comcast did in setting this up. I have a Pace 5268AC RG (Router/Gateway) which doesn't have a true bridge mode. In order for pfSense to have my WAN IP, I have to set pfSense in a DMZ+ (DMZplus) format. (Ref: http://www.dslreports.com/faq/17804)
What I noticed with this setup is that on the Pace 5268AC, itself, it displays my WAN IP with Pace's WAN interface MAC address (XX:XX:XX:XX:XX:XX) which is different than my pfSense WAN interface (YY:YY:YY:YY:YY:YY). I had tried setting my pfSense WAN's interface as the same MAC address as the Pace 5268AC. However, I could never get pfSense to connect to the Pace 5268AC successfully that way I assume due to the conflict.
My wife and I have noticed sites will seemingly hang when trying to connect at random. I haven't been able to find a pattern for any of them yet. In my troubleshooting, I see that the following line is shown over and over again in the System Logs for pfSense.
kernel arp: XX:XX:XX:XX:XX:XX is using my IP address XXX.XXX.XXX.XXX on vtnet0!
Could this be causing conflicts which would explain the random delays that we're experiencing?
VM on Proxmox Host (C2758 with 16GB RAM)
1GB RAM and all 8 cores given to pfSense VM.
Previously had pfBlockerNG setup but ended up deleting it several weeks back.
No others installed currently.
johnpoz LAYER 8 Global Moderator last edited by
Duplicate IP yeah… That would be an issue.
Following up on this. I finally had some time to troubleshoot, and I believe I have the root cause of the timeouts. I did some packet capture and made a peculiar find. Some domains were occasionally resolving to 10.10.10.1. I dug into what was happening on my local DNS resolver and found that it had a custom option for:
Back in June, I had experimented with pfBlockerNG to use as an ad-blocker for all devices on my network rather than having to manage the block-list on each individual device.
I ran into issues with constantly having to customize the filters for various sites (Read: Wife not happy some of the blogs she follows would have unrendered pages due to the blocks) so I uninstalled it and we didn't have any further issues. We were on Comcast at the time. We moved in July and stayed with them until we had Gigapower installed in October. The timeouts didn't arise until we moved to AT&T so I'm not sure if we had some insane DNS caching client-side or what.
Since I removed that custom configuration for Unbound, the timeouts no longer occur. I still see the ARP conflicts for my WAN IP so that seems to be more of a warning rather than an error.
I have this exact setup, and the same logging issue. A Pace 5268AC router on AT&T Gigapower on a Netgate 2440 with pfSense 2.3.2.
I am setting the AT&T router in DMZPlus mode, which passes all traffic to the selected internal device (in my case pfSense 2440). This makes the DHCP server in the AT&T router assigns the WAN port of the 2440 the public internet IP from the AT&T router (oddly enough). As mentioned by the OP, this is causing this system log error in pfSense:
arp: xx:xx:xx:xx:xx:xx is using my IP address n.n.n.n on igb0!
xx:xx:xx:xx:xx:xx is the arp address of the lan port on the AT&T router, and n.n.n.n is the public internet IP.
Its passing traffic fine in this configuration. I guess I can also understand why the error would get logged, but would love to understand how this setup works, and if I should be concerned enough to change it. The goal with the setup is to put the AT&T router into as a close of a bridge mode as I can.