NAT and MAC change (Intel NIC Teaming)
-
I have problem with NAT and port forwarding.
One of my servers is using Intel nics with TEAM function (two lan cards are used as a team and provides load balancing and failover).The problem is that I cannot create stable connection with port forwarding (for example remote desktop or HTTPS mail), because MAC address constantly changes. I see these messages in log:
Nov 22 20:32:03 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0
Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0
Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0
Nov 22 20:28:56 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0
….What can I do now? Remove Team function or adjust firewall settings?
-
I am having a related issue where I need pfsense to update its ARP table more frequently due to MAC address changes. Any idea how to do this?
-
I have problem with NAT and port forwarding.
One of my servers is using Intel nics with TEAM function (two lan cards are used as a team and provides load balancing and failover).The problem is that I cannot create stable connection with port forwarding (for example remote desktop or HTTPS mail), because MAC address constantly changes. I see these messages in log:
Nov 22 20:32:03 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0
Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0
Nov 22 20:31:45 kernel: arp: 192.168.190.6 moved from XXXXXX:4c to XXXXXX:4d on fxp0
Nov 22 20:28:56 kernel: arp: 192.168.190.6 moved from XXXXXX:4d to XXXXXX:4c on fxp0
….What can I do now? Remove Team function or adjust firewall settings?
It sounds like you don't have switch support for aggregation, or don't have it configured properly. Pure failover mode is all that will work properly without switch support.
I am having a related issue where I need pfsense to update its ARP table more frequently due to MAC address changes. Any idea how to do this?
I think FreeBSD should be updating the ARP table any time it receives a packet that doesn't match its current cache, as should any other TCP/IP stack. Are you saying you want it to flush the cache sooner and make a new ARP request? This is controlled by the sysctl tuneable 'net.link.ether.inet.max_age'; it seems to default to 20 minutes.