Kernel: arp_rtrequest: bad gateway (and not just cosmetics..)
-
hello,
after spending the whole morning in fine-tuning and successfully setting up a 1:1 NAT for a DMZ ftp host with a CARP VIP on WAN (for ftp-helper compatibility), I had to reboot the firewall, and since then I couldn't bring it back working.I can just see connections are blocked (10.30.14.79 is the host in DMZ)
Proto Source -> Router -> Destination State
tcp 87.17.243.229:1275 -> 10.30.14.79:21 SYN_SENT:CLOSED
tcp 10.30.14.79:21 <- CARP_VIP_IP:21 <- 87.17.243.229:1275 CLOSED:SYN_SENTThe only error in the log (which never appeared before rebooting) is
kernel: arp_rtrequest: bad gateway CARP_VIP_IP (!AF_LINK)
traffic from WAN is enabled for * to 10.30.14.79:21 and pasv port range :5000-5499
tried deleting VIP and recreating, changing CARP vhid (who knows), changing VIP IP to another free IP I have, deleting all rules, deleting and recreating NAT 1:1, rebooting.. nothing, still cannot connect to VIP.thanks.
-
The ARP message is cosmetic and can be ignored. It's always there when using CARP. Maybe your upstream device is having issues with it's ARP-cache. Try rebooting it.
-
just noticed with ps aux | grep pftpx I have no ftp helper running for WAN address (the one where I created a VIP), while it's enabled in the interface properties page (checkbox not selected). don't know if I had it running before when all was ok.
does that mean something..?
-
The ARP message is cosmetic and can be ignored. It's always there when using CARP. Maybe your upstream device is having issues with it's ARP-cache. Try rebooting it.
ok, will try it tomorrow, I'm far away from the ISP router at the moment.
thanks -
This is a ftp server? You should start over und use the correct procedure:
- delete all firewallrules and nat rules that you have created for this server
- Create a CARP VIP
- enable the ftphelper at interface WAN
- create a portforward for the CARP VIP port 21 only
The ftphelper should now work and also take care of the passive port range of the server. No reason to forward that range manually now.
-
hoba, you fixed that all once again. ;)
don't know why it ever broke, but now it works, without forwarding anything but port 21.thank you very much!
-
:)