Two questions from a New User



  • Just migrated my IPCop setup to pfsense 1.2.1. My firewall works in a datacentre protecting a rack of servers behind it.

    Q1. Had real trouble getting NAT to work.. Had to assign each public Ip address as a VIP of type CARP ..then could see ifconfig was showing what I expected…

    carp0: flags=49 <up,loopback,running>metric 0 mtu 1500
            inet 81.xx.xx.3 netmask 0xffffffff
            carp: MASTER vhid 1 advbase 1 advskew 0
    carp1: flags=49 <up,loopback,running>metric 0 mtu 1500
            inet 81.xx.xx.4 netmask 0xffffffff
            carp: MASTER vhid 2 advbase 1 advskew 0
    carp2: flags=49 <up,loopback,running>metric 0 mtu 1500
         ...

    My question is, why do they have to be of type CARP, why not ARP or Other. I thought CARP was related to multiple firewalls and failover ?

    Q2. How can should you manually edit /rc/conf/config.xml and then get the server to re-read this file. I want to do this to enable WAN access to the Web GUI, so if there is a better way of acheiving this when I am outside of the Internal WAN, then please let me know.
    I suppose I could use a remote desktop to configure the firewall from inside the Internal network - would that be better practise ? But I still need to modify the rules to allow vnc access remotely...so assuming I can do this with vi on the config file, what should I then do ..reboot the firewall ? Can I test the config file is ok before I do this ?

    thx dave</up,loopback,running></up,loopback,running></up,loopback,running>



  • /etc/rc.reload_all
    appears to be the command to read /cf/conf/config.xml file and apply it, so that is my second question answered.

    My second question is still puzzling me, do you have to use type - 'CARP' to get public WAN IP addresses to map to internal IP addresses behind the firewall ?



  • No you dont "have" to use carp IP's.

    http://forum.pfsense.org/index.php/topic,7001.0.html
    @http://forum.pfsense.org/index.php/topic:

    Virtual IP's:
    A Service cannot bind to an Proxy-ARP VIP. (Services on pfSense) use for that CARP instead.

    You can NOT ping Proxy ARP VIP's
    Use CARP VIP's instead.
    http://forum.pfsense.org/index.php/topic,4499.0.html

    A description of what the differences between the 3 types of VIPs are:
    http://forum.pfsense.org/index.php/topic,3987.msg24632.html#msg24632



  • Thanks for the quick response .. now thing I understand CARP and ProxyARP's, but don't see the ProxyARP VIP's getting configured on the WAN interface - i.e no change in ifconfig output ?

    If you use type ProxyARP for the VIP - which seems the more logical choice -  what should ifconfig output show me?

    I don't see it adding an interface to listen for this VIP address, hence none of the NAT forwarding rules will work ??

    thx dave



  • I dont know if ifconfig will show the change.
    Probably not since you say it doesnt show up ;)
    But i know that PARP VIP's work as how they should.



  • Thanks for the replies…I would like to know from others using ProxyARP VIP's whether their ifconfig shows up these addresses - I cannot see how the box would receive these packets if this was not the case ?? Just go to option 8, and run ifconfig command to see this.

    Had to put my firewall back to IPCop untill I get this working cleanly.

    One thing that bite me hard was making a mistake in editing config.xml and you are hosed if doing remote admin of the firewall. Is there a parse checker for this - or is it everybody uses the webGUI and never hand edits ??

    Still in the dark over proxyARP and why they would not work for me, but have a spare machine setup on pfsense to play with and hopefully post back something intelligent as to why it was not working.

    Lastly, general question - is pfsense more aimed at home user firewalls and not firewalls to be used to protect servers running in a hosted environment.



  • @abadger1406:

    Lastly, general question - is pfsense more aimed at home user firewalls and not firewalls to be used to protect servers running in a hosted environment.

    Just to give you an idea what others are using it for:
    http://forum.pfsense.org/index.php/topic,7668.0.html
    I'd think it is more business. The feature set far exceeds the needs of regular home users.



  • @abadger1406:

    Q2. How can should you manually edit /rc/conf/config.xml and then get the server to re-read this file. I want to do this to enable WAN access to the Web GUI, so if there is a better way of acheiving this when I am outside of the Internal WAN, then please let me know.

    @abadger1406:

    One thing that bite me hard was making a mistake in editing config.xml and you are hosed if doing remote admin of the firewall. Is there a parse checker for this - or is it everybody uses the webGUI and never hand edits ??

    Usually most (if not all) of the configuration is done through the WebGUI.
    I don't gain much by editing config.xml by hand.

    If you don't want to open up the WebGUI for secure WAN access (e.g. https on a non standard port) I would use OpenVPN to tunnel into that network and use the WebGUI from within. IPsec is another option.



  • Proxy-ARP VIPs are handled by a proxy-arp daemon. They do not show up in ifconfig. They should work just fine. If you don't like that, go ahead and use CARP VIPs, they should also work fine for your purposes.



  • I think I might have figured out why the proxy - ARP VIP's did not work immediately for me….

    Proxy-ARP VIP's may not have worked for me, as the routing service within my hosted environment would have already cached MAC addresses for these IP addresses, as currently an IPCOP firewall is set to listen to those IP addresses, so when I turn the ipcop firewall off, and turn the pfsense firewall on, the arp cache in the router will continue to try to contact that MAC address of the ipcop firewall  for these ipaddress sometime after.

    So I should have just added the MAC address of the existing ipcop firewall to the list of mac addresses served by the pfsense firewall, and I think all work have worked immediately.

    Or is there a way to tell external machine to delete certain artp cache entries ?

    Will let you know if this works, next time I attempt the upgrade.



  • If you don't have control of the router, you have to wait for their arp-cache to expire. Although it will be cleared if the provider's router just happens to get power cycled accidentally. You could also call them and ask them to clear it.


Locked