NAT redirect on Proxy ARP VIP

  • Hola,

    Here's my issue…

    I have a box with two IPs.  The second IP is set as a VIP using proxy arp.  I can access everything from the outside just fine on both IPs.  The problem I'm having is that I can't access the second public VIP from the internal network.  I can, however, access the first public IP from the internal network (I'm assuming through the use of nat redirect).  Is there something special I have to do on this VIP to get nat redirect to work?


  • Try enabling System -> Advanced -> Reflection

  • I have it on…which is why it works on the first IP.  It just doesn't work on the virtual IP.

  • Proxy ARP is starting to really show its rough edges.  It seems to be causing problems with the FTP helper as well.

    About the only thing you can do here is convert the ProxyARP IP over to a CARP type ip until the next version which will have more options to choose from.

  • I think I did try it with carp as well, but I'll make sure to try that again.

    There is a notice on one of the pages the mentions reflection does not work with large port ranges.  Does 1:1 Nat also effect the functionality of reflection?

    Here's a little more detail about what I have setup…

    WAN Interface: 12.X.X.3/32

    Virtual IP: 12.X.X.4/32 using Proxy Arp.

    1:1 NAT 12.X.X.4 ->

    Users inside the LAN can access 12.X.X.3 via its public IP.  Users inside the LAN cannot access 12.X.X.4 via its public ip.

    From the outside everything is working fine.

  • Will there be a fix/workaround for this?

    I have to use 1:1 because I run a SIP server behind NAT and the normal NAT in pfsense uses symmetric nat while 1:1 uses cone.  SIP doesn't work well, if at all, with symmetric NAT.

  • Not in 1.0.

Log in to reply