Virtual IP addresses not working?

netsysadmin

Hello all,

My setup is as follows:
  WAN interface IP: .19/28
  Virtual IPs of type IP Alias on WAN: .20/28 up to .30/28

I was not sure whether to use a subnet mask of /32 or /28, but pfSense mentions that "This must be the network's subnet mask. It does not specify a CIDR range.".

I am port forwarding public IP .20 ports 80, 8080 and 8086 to an internal private IP.
NB: I've used one alias for all the ports 80, 8080 & 8086 in the port forwarding rule, ie, "Dest. ports" and "NAT Ports" fields are set to the alias name. Is this OK?

Now, the problem is that when someone tries to access these ports from outside, the ports seem to be closed (I used yougetsignal.com to test).
I did a packet capture on the WAN interface, but no interesting packet is seen.

Strangely, if I change the Virtual IP "Type" from "IP Alias" to "Other", the ports seem to become open.
However, after some time, they are again closed.

Can anyone help please?

Thanks in advance.

dotdash

For proxy-arps, use /32. I usually use alias vips for IP's that are not on the main subnet. Try using a CARP vip. Set the subnet mask to /28 to match the interface ip.

netsysadmin

Thanks for replying.

Any idea where I can find the exact differences between the different types of virtual IPs, ie, IP Alias vs CARP vs Proxy ARP vs Other?

Why do you think I need to use "Proxy ARP"?

The problem is that, as per the note at the bottom of the page, "Proxy ARP and Other type Virtual IPs cannot be bound to by anything running on the firewall, such as IPsec, OpenVPN, etc".

By "main subnet", do you mean the WAN subnet?

I'll try "Proxy ARP" and let you know if it works.

Thanks.

netsysadmin

Proxy ARP does not work.
I tried putting it back to "IP Alias" and setting the subnet mask to /32 and it is working.
But, as I mentioned before, I believe it will stop working after some time.

dotdash

The help from the vip page is pretty good: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F
Proxy-arps are easy, but I find CARP vips to be the most flexible.
Yes, I meant WAN subnet by 'main'.
If it stops working, that could be an upstream problem. But again, I would try with a CARP first if you have any issues.

netsysadmin

Sorry for the late reply.

I tried CARP, as you suggested, and again it works for a few minutes and then stops working again!

Any clue what could be happening?

Thanks

netsysadmin

Proxy ARP and "Other" do not work at all.

netsysadmin

I see messages like the following in the Systems >> General logs:
kernel: arp: XX:XX:XX:XX:XX:XX is using my IP address A.B.C.20 on re3_vlan77!

dotdash

There is a device with the same IP address on it as your firewall. Check the first half of the mac address against the IEEE list of assignments and find out what manufacturer is conflicting with your IP.
A device with the same IP would cause the issues you are describing.

netsysadmin

That was the problem.
However, it was actually a virtual IP address on the second pfSense box.
CARP was not configured yet.

Thank you.