  • Have a very strange problem.  New to PFSense, read the wiki and forums and got pfsense up and running with just the main ip number and it works great. Port forwarding works great.  I then set up my other 12 ip numbers as VIPs.  .98 - .110  I have .98 as th primary for the WAN.  I have 99 - 110 set up as VIP.

    I set up port forwards or various systems and assigned them to various vips.  I tried them from an outside connection and none of them worked. I tried them from a totally seperate nework and I tried from from another verizon fios connection (traceroute only 3 hops to the .98 address)

    Since the .98 address worked, I thought maybe I messed up something in the portfowards, so to test them, I changed the WAN address to .99 and tested and now .99 worked.  I did the same for .100, .101, .102, …110  I put it back to .98 for the WAN and now EVERYTHING was working perfectly.

    Then at midnight all of a sudden I got paged that nothing except .98 workd anymore.  In fact I was on a ssh connection thru one of the VIPS and that disconnected right at midnight.

    I had to go to the office and set each VIP as the wan, ran a quick check by going to ad then flipping to the net ip number.  Now as I write this everything is working again.

    It is like the vip only works if data is sent out that ip number and then for some reason seems to expire later on.

    Any suggestions ?

  • What tpye of VIP doe you use? Somehow sounds like if the provider clears their ARP cache at midnight and unless they don't see traffic from that IP they don't get  get added back to their routers ARP-Cache unless they see some traffic from these IPs. If that really is the case you could use advanced outbound nat in combination with some keep alive script running from one of your servers frequently to generate some traffic from the vips but maybe using another type ov VIP would already solve this.

  • They are all set up as proxy arp.  And it just happned again, 6 hours from the last time I re set them.  The main address works, but the vips do not.  I had to go in and set each vip as the primary wan address, then hit the site which displayed the new wan address then everything started working again.

    I do have an outside server monitoring that checkes at least one port on each of the vips which I would have thought by making the connection would possibly keep things alive but I guess I was wrong.

  • try to set them up as CARP and see if that makes a difference. Please note that you have to specify the real subnetmask when using carp instead of a /32 when using proxy arp.

  • I changed them to carp, it did not ask for subnet mask, it still had the /24 in there.  I have my timer started to see if things last more than 6 hours.

  • So far so good, things have not gone down since converting to carp.

