NAT 1:1 question



  • I'm using Virtual IPs and NAT 1:1 from external to my internal server.
    But I have these output in my system logs:

    Mar 14 08:43:29 kernel: arp_rtrequest: bad gateway 172.16.4.254 (!AF_LINK)
    Mar 13 18:27:50 kernel: arp_rtrequest: bad gateway xxx.xxx.xxx.22 (!AF_LINK)

    What is the meaning of that statement?

    I'm using this config:

    Virtual IPs: xxx.xxx.xxx.22/29 Type: CARP

    NAT 1:1
    WAN -> xxx.xxx.xxx.22/32 -> 172.16.4.52/32

    WAN:
    (1)
    Proto: TCP
    Source: any
    Port: any
    Destination: 172.16.4.52
    Port: 21
    Gateway: default

    (2)
    Proto: TCP
    Source: any
    Port: any
    Destination: 172.16.4.52
    Port: 30000-40000
    Gateway: default

    LAN:
    Port: any
    Source: 172.16.4.52
    Port: any
    Destination: any
    Gateway: any

    I'm trying to upload and download from external via passive ftp. It seems very slow in download process, but normal in upload process.
    Is that something wrong with my rules?
    Btw, i also use alias "WEB" for host 172.16.4.52.



  • @agismaniax:

    Mar 14 08:43:29 kernel: arp_rtrequest: bad gateway 172.16.4.254 (!AF_LINK)
    Mar 13 18:27:50 kernel: arp_rtrequest: bad gateway xxx.xxx.xxx.22 (!AF_LINK)

    Those are cosmetical and can be ignored. They appear when the CARP IPs are brought up.
    Is that a full blow CARP setup (2 machines) or is that a single machine? If these are 2 machines chack that master/slave states are correct at both.

    I see you use a CARP IP at LAN too, is that your gateway IP for LAN clients? Make sure your Server uses that IP as gateway then too.

    Why do you need the rule at LAN? Have you restricted outgoing Access? The 1:1 NAT should take care that outgoing traffic is mapped back to the external CARP IP. Why does your LAN rule show a gateway "any" instead of default?



  • I'm using CARP 172.16.4.254/24 in my LAN for failover firewall in the future. The real LAN IP is 172.16.4.252/24.
    I have two server inside, and each External Virtual IPs is mapped only one machine.

    Sorry, wrong type, it is not "any", but "default" in LAN rule.
    I have to restrict outgoing connection from my user, but no limit for the server.
    Trying to reset LAN rule to default, still won't increase outgoing traffic.

    Do you have any suggestion?  ??? ??? ???



  • You can try also to download a file from http://203.77.230.22/pure-ftpd-1.0.20.tar.gz or login and download a file from ftp://203.77.230.22 (user: pfsense, pass: pfsense).

    It very very slow…  :( :( :(
    I've checked my ISP and they said my upstream traffic is almost empty.



  • after several times reset to default and recreate the rule at firewall.
    also reconfigure my ftp server setting, download/upload is running smoothly.

    thanks a lot…  :D :D :D


Locked