Virtual IP bugs



  • Hi
    This week I regretably installed pfSense v.2 (20100514) Beta in a production environment as I really needed the ability to restrict certain pages of the pfSense web gui for a certain user. I have been testing v2 Beta for some time now and have found the core functionality to be pretty stable. The one area that it seems to fall down was with Virtual IPs.
    The site I installed this box in has a full /24 public IP range on its WAN. I was replacing an IPCop which had many port 80 forwarding rules for these public IP addresses to internal web servers. I first set about adding the IPs as Proxy Arp addresses under Virtual IPs. I decided to add them in chunks of smaller subnets, the first being:
    xxx.xxx.xxx.128/25

    I expected this to give me 128 usable IPs (128-255) to use within my NAT rules however I found only 8 addresses usable in the dropdown list (129-136). All other addresses that I needed above .136 required me to add the virtual IP individually.

    I figured that was a workable bug so I continued setting up the port forwarding rules.
    All appeared to be working fine until I had reports that one of the websites we were hosting was not accessible externally. In order to resolve this I had to delete the NAT/Firewall rules and then the Virtual IP. Then recreate the virtual IP and rules. that website worked fine but then a different site stopped working externally. Again using a virtual IP on port 80 going to a different LAN IP address. Again fixed by deleting the virtual IP.
    It appears that I can only use 1 virtual IP at a time?!?!

    As there is 4,000 miles and the Atlantic Ocean betwen me and this office, I had to revert back to their IPcop minutes before I flew back home.

    Anybody else experienced this issue?

    Gordon


  • Rebel Alliance Developer Netgate

    Are you on x86 or 64-bit?



  • x86



  • I'm sure the NAT had nothing to do with it, it was probably entirely proxy ARP causing the difficulties. Others have reported similar issues with choparp. I suspect switching to CARP or IP Alias type VIPs would have fixed it.
    http://redmine.pfsense.org/issues/616


  • Rebel Alliance Developer Netgate



  • Thanks for the prompt attention guys.
    Will try and get a free trip back to New York to test  ;D

    BTW… thanks for the great book!


Locked