Virtual IP's with a /24 public subnet



  • I'm using pfSense 2.0 and I have 5 static IP addresses with my ISP.  Normally I can add the 4 additional addresses as IP Aliases and use them in port forwarding rules but for some reason I cannot in this instance.  My ISP denies there is an issue with the additional IP's so I'm not sure if they're wrong or if the /24 subnet they provide is throwing things off.


  • Rebel Alliance Developer Netgate

    IP Alias should work in that case, as should Proxy ARP or CARP.

    Depending on how the link on your WAN is setup, they may have some additional requirements there. In some cases we have seen where the ISP requires a unique MAC address for each IP, so using CARP VIPs might help there.



  • Thanks.  I just checked and they said they don't require it.  It's crazy, I have the exact same setup at my own office but with a different ISP; everything I test here works perfectly but nothing works there.  I'm still not sure if it's the ISP or if the router is corrupt (mostly because I don't want it to be the ISP; they don't have the most knowledgeable tech support); it's been there since Beta 1 or 2.  I may have to default the router and put in a bare bones setup and test again.  If that fails, I'm not sure how to get the ISP to recognize their issue.



  • Okay, I'm getting some VERY strange behavior from the Virtual IP page.  I'm still trying to get these public IP's to work.  Let's say they are:
    1.1.1.83/24
    1.1.1.84/24
    1.1.1.85/24
    1.1.1.86/24
    Just a reminder, /24 is the actual subnet my isp provides.  For the .83 entry, I am missing options present for the other 3 virtual IPs.  For certain types, I cannot change the subnet and I do not have the option to "Disable expansion of this entry into IPs on NAT lists" for ANY of the VIP types in the .83 entry.





  • Rebel Alliance Developer Netgate

    The screenshot you show looks right.

    IP Alias is always a single address and always has a subnet mask.

    Proxy ARP can be a single address or a "network". When it's set to single address you don't choose a subnet for proxy arp, when it's set to a network that subnet mask controls how many proxy ARP VIPs are created, and you can disable the NAT expansion only then because with a single address you cannot expand it.



  • Augh, sorry, I'm so aggravated with this that I'm clutching at straws. :)



  • Update, I finally got the ISP out there and it was an issue on their side so all is well now.  Thanks again!


Log in to reply