4. NAT and MAC change (Intel NIC Teaming)

NAT and MAC change (Intel NIC Teaming)

  • U

    I have problem with NAT and port forwarding.
    One of my servers is using Intel nics with TEAM function (two lan cards are used as a team and provides load balancing and failover).

    The problem is that I cannot create stable connection with port forwarding (for example remote desktop or HTTPS mail), because MAC address constantly changes. I see these messages in log:

    Nov 22 20:32:03 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0
    Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0
    Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0
    Nov 22 20:28:56 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0
    ….

    What can I do now? Remove Team function or adjust firewall settings?

    0
  • J

    I am having a related issue where I need pfsense to update its ARP table more frequently due to MAC address changes. Any idea how to do this?

    0
  • K

    @unguzov:

    I have problem with NAT and port forwarding.
    One of my servers is using Intel nics with TEAM function (two lan cards are used as a team and provides load balancing and failover).

    The problem is that I cannot create stable connection with port forwarding (for example remote desktop or HTTPS mail), because MAC address constantly changes. I see these messages in log:

    Nov 22 20:32:03 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0
    Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0
    Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0
    Nov 22 20:28:56 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0
    ….

    What can I do now? Remove Team function or adjust firewall settings?

    It sounds like you don't have switch support for aggregation, or don't have it configured properly. Pure failover mode is all that will work properly without switch support.

    I am having a related issue where I need pfsense to update its ARP table more frequently due to MAC address changes. Any idea how to do this?

    I think FreeBSD should be updating the ARP table any time it receives a packet that doesn't match its current cache, as should any other TCP/IP stack. Are you saying you want it to flush the cache sooner and make a new ARP request? This is controlled by the sysctl tuneable 'net.link.ether.inet.max_age'; it seems to default to 20 minutes.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy