Virtual IP Proxy Arp Not Working?



  • I just upgraded from 1.2 Release to 1.2.2 and I had a set of networks NAT'd through a Proxy ARP'd Address on my Wan interface.  Before Upgrade.. Working Fine.. After Upgrade Connections going out through the Proxy Arp'd WAN address did not work.

    Fix was to have it use the interface address.  Is this a known problem?

    Tried Both Proxy Arp and Other in the VIP Section…



  • Okay everyone, listen up. When using 1:1 NAT and proxy-arp Virtual IP’s, pfsense will not send out the gratuitous ARP (GARP) reply when the virtual (proxy-arp) VIP interface comes up.  No problem if your ISP’s Router ARP cache has not stored the hardware address from a previous NIC at that IP address.  A GARP sent to the ISP router will cause it to use the new hardware NIC address immediately.  pfsense’s WAN IP always sends a GARP but not the virtual IP. So you can to wait for the arp-cache timeout on the ISP’s router, call them and ask them to flush the cache or perform the following NASTY procedure, which works every time.

    1. Delete all Proxy-arp VIP’s.
    2. Set your WAN IP to the first desired proxy-arp VIP. A GARP for this IP is sent to the ISP router.
    3. Set your WAN IP to the next desired proxy-arp VIP. A GARP for this IP is sent to the ISP router and so on.
    4. End by setting the final WAN IP as your desired WAN interface. The ISP router will have arp-cached the same hardware NIC address for all your IP's.
    5. Now setup all your proxy-arp VIP’s that were GARP’ed above.

    Your pfsense box and its proxy-arp VIP's should now be operational.  I believe that more than 80% of the proxy-arp VIP problems in this forum are because a GARP reply is not sent out on the VIP virtual interface.



  • Ugly..

    hshardy3: You know if there's a better daemon for proxy ARP?



  • Any updates guys  :),

    thanks


  • Rebel Alliance Developer Netgate

    Have you tried installing the arping package, and then using it from the CLI? It seems to support sending from alternate addresses/MACs.

    # arping
    ARPing 2.06, by Thomas Habets <thomas@habets.pp.se>usage: arping [ -0aAbdFpqrRuv ] [ -w <us>] [ -S <host ip="">] [ -T <host ip="" ]<br="">[ -s <mac>] [ -t <mac>] [ -c <count>] [ -i <interface>]</interface></count></mac></mac></host></host></us></thomas@habets.pp.se> 
    

    It may be enough to do something like:

    arping -S <proxy arp="" vip=""><isp gateway="">I'm not sure if that would generate the proper GARP or not, but it's worth a try if you can reliably reproduce this behavior.</isp></proxy>



  • thanks for a reply,

    I'd installed the ARPIng package but still no luck,



  • it's interesting that you claim it happened after 1.2 -> 1.2.2 upgrade…
    can we see tcpdump from wan when you try to use proxy arp VIP?


Locked