Second WAN IP NATED port 443 to server nr 2, works for 4-5 hours



  • Hello guys and girls!

    I'm on lastest PFsense version.
    I have a weird problem that i havnt found any solution for searching around.

    My WAN IP is for example: 90.200.44.149/26 (WAN # 1)

    I have added a Virtual IP using IP Alias that is 90.200.44.151/26 (WAN # 2)

    In NAT i have  Destination WAN nr 2, Port 443, NAT IP 10.0.1.7  (Server # 2)

    This works. I can now goto myotherdomain.com and it is NATed to Server #2.

    But 4-5 hours in, it stops working. I see nothing in the general logs. The only thing i can do to get it working again. Is to change the virtual ip from /26 to /32. And then it works for 4-5 hours and i have to change back again. Any solutions?



  • "Solved" It was ARP Expire on the ISP that is 4 hours. I dont know why pfsense cant handle to keep it alive though as it can with the gateway. THe ISP added static ARP


  • LAYER 8 Global Moderator

    if your ISP is not sending traffic to this VIP..  Why would it keep it cached?  What traffic would be coming to this vip via the ISP so it would keep the arp cache current?

    Make sure there is traffic going to this VIP ip through your isp and it would keep it cached.  Say a monitoring system that pings it ever X minutes, etc.

    " dont know why pfsense cant handle to keep it alive though as it can with the gateway"

    I suggest you read up on how arp caching works then ;)  If your isp doesn't cache it if doesn't see traffic from it - then you would need to make sure traffic leaves from this vip every so often.  Why would your isp not just arp for it when it sees traffic going wanting to go there.

    Are you saying that pfsense doesn't answer arp request to a VIP IP?



  • @johnpoz:

    if your ISP is not sending traffic to this VIP..  Why would it keep it cached?  What traffic would be coming to this vip via the ISP so it would keep the arp cache current?

    Make sure there is traffic going to this VIP ip through your isp and it would keep it cached.  Say a monitoring system that pings it ever X minutes, etc.

    " dont know why pfsense cant handle to keep it alive though as it can with the gateway"

    I suggest you read up on how arp caching works then ;)  If your isp doesn't cache it if doesn't see traffic from it - then you would need to make sure traffic leaves from this vip every so often.  Why would your isp not just arp for it when it sees traffic going wanting to go there.

    Are you saying that pfsense doesn't answer arp request to a VIP IP?

    Lots a questions for a newbie like me :) Lets see. I have a external montoring system that tries to reach the serivce at port 443 every 5 min. But still the connection dies after 4 hours. What i meant was that the default WAN IP never dies after 4 hours. So i dont understand why my Virtual IP does? The ISP has set static ARP to my pfsense mac address now for all the IPs. But no traffic goes through to the virtual IP using NAT to the server #2.

    If i manages to make sure traffic leaves the VIP every so often. But then at some point some years from now there is a gap between 4 hours. Would that mean i need to change from /32 to /26 or wiseversa on the Virtual IP to get it going again? Shouldn't this work automatically? Or do i need to make sure i have traffic going from my virtual ip to the gateway somehow for it to open?



  • Reboot also makes it start working again.

    Pinging using Diagonstics -> ping. And setting Source as Virtual IP also says unreachable. Until reboot or changing of the IP settings, then it works as normal.


  • LAYER 8 Global Moderator

    What VIP did you setup?

    Why would you set the vip to /32.. If the IP is in your /26 range then that should be the mask on your VIP not /32



  • @johnpoz:

    What VIP did you setup?

    Why would you set the vip to /32.. If the IP is in your /26 range then that should be the mask on your VIP not /32

    Both /26 and /32 works. But they both stop working after Cisco 4 hour arp expire. And then i need ro make a change or reboot to get it going again.


  • LAYER 8 Global Moderator

    Well that seems like something odd with your ISP then.. /26 would be the proper setting..

    Are you not seeing arps?  And responses to the ARPs?

    I would have to check maybe when you setup it up or make a change the vip sends out a gratuitous arp that your isp likes and then caches that for 4 hours.  But doesn't arp for IP?

    But lets ask this again - what VIP did you create?

    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

    If you created OTHER according to that doc it doesn't do ARP




  • @johnpoz:

    Well that seems like something odd with your ISP then.. /26 would be the proper setting..

    Are you not seeing arps?  And responses to the ARPs?

    I would have to check maybe when you setup it up or make a change the vip sends out a gratuitous arp that your isp likes and then caches that for 4 hours.  But doesn't arp for IP?

    But lets ask this again - what VIP did you create?

    https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

    If you created OTHER according to that doc it doesn't do ARP

    Oh sorry. I didnt catch that question. I created IP Alias. I see the arps in the arp table. Even after they stop working. How can i debug this further?

    I can ping the gateway using the VIP as source when it is working. But not when it has stopped working.


  • LAYER 8 Global Moderator

    Here you go this thread is exactly what your talking about it seems.

    https://forum.pfsense.org/index.php?topic=66838.0
    Gratuitous arp from virtual IPs?

    End of the thread there seems to be simple cron job you can do to get around your ISP issue.

    But thought you said they put in a static arp for you - so that should of solved your problem?



  • Thanks ill take a look!

    Either they havnt done it, just said they have. Or something is still wrong. Cause the issue remains.


Log in to reply