Proxy arp and 1:1 NAT



  • 1:1 Nat'ed computers 'eventually' lose WAN access over time. The only way to get WAN access back is to delete the VIP and NAT and re-add the VIP and the NAT.

    1:1 Nat'ed computers can ping each internally over the LAN and ping the WAN interface, but beyond that everything is not accessible.

    The access is lost over time. I am not sure how long it takes, but it is over the course of hours. Has anyone else experienced this?


  • Rebel Alliance Developer Netgate

    Sounds like it might have more to do with whatever device is on your WAN side. (DSL modem, Cable modem, etc).

    You might try using CARP IPs also, if the IPs are in the same subnet as your WAN IP.



  • I tried the setup in a colo environment where the handoff is RJ45. I have a /27 of IP's that I was trying to NAT individually to corresponding 192.168.21.0/24. I switched back to 1.2.3 and everything is swell. I think something is a little off with Proxy ARP and 1:1 Nat'ing in 2.0.



  • I am having the same issue… I am surprised nobody else has reported it as a bug....



  • choparp (the proxy ARP daemon) had major issues for a while prior to I think May 2, definitely sometime in the past week. I tested it to work fine after it was fixed, so make sure you're on the latest snapshot.



  • I am still experiencing this problem with the latest snapshot.  Are there any other users reporting this issue?



  • I have only run the snapshot update… Do I need to do a complete re-install to get the updated choparp daemon?


  • Rebel Alliance Developer Netgate

    How did you run the update?

    Are you sure it updated?

    The auto update function has had some issues up until a couple days ago. Try downloading an update file from the snapshots server and then uploading it from System > Firmware. Or do a console update by URL.



  • I'm seeing this same misbehavior, even after updating a 0331 build to

    2.0-BETA2
    built on Tue May 18 13:45:30 EDT 2010



  • I am aware of the autoupdate feature being iffy so I ran a manual update.  I am currently using 2.0-BETA2
    built on Tue May 18 13:45:30 EDT 2010.  The exact behavior is the 1:1 NAT addresses stop communicating every few hours until I remove the Proxy ARP VIP's and re-enter them.



  • Go to Diag > Command and run:

    ps ax|grep choparp

    and make sure it's actually running. If so, then get a packet capture when it's not working and see if your upstream is actually sending ARP requests that aren't getting replies.


Locked