ARP/GARP issues when setting up outbound NAT to use multiple public IPs
-
My site includes 100 households sharing a fiber through PFSense. We currently have all general traffic NATed out to the single IP of the WAN interface. This works fine except we sometimes get problems on websites (like Google search or Craigslist) that complain about seeing too many requests from one IP–presumably they think our traffic is some kind of bot spamming them, and they cut us off.
Since I have some additional IP addresses available, I want to set up outbound NAT to use more than one public address for my outbound traffic (as described in the docs at https://doc.pfsense.org/index.php/Outbound_NAT).
I have tried several ways of creating an outbound address pool, including an alias and various flavors of Virtual IPs, but none of them work.
The problem, I think, is that my ISP uses Tellabs fiber termination equipment, and that is set to block traffic to/from any IP until it sees a properly configured ARP packet come from that IP.
When I select an IP address and use it as the address of the WAN interface, it works great. Presumably PFSense sends the proper ARP when the interface comes up.
However, if I instead set up a virtual IP to a similar address and tell my outbound NAT to use that, no traffic will pass--it does not seem to send the proper ARP.
I found that I could do a hack to make an address work by first temporarily assigning it to the WAN interface and bringing it up (which satisfied the Tellabs equipment), then reverting the interface and setting the outbound NAT to use that address through a virtual IP.
But that approach seems destined to fail whenever the Tellabs equipment gets reset or decides the connection is stale and starts blocking traffic again. I have also tried using the arping package to manually send ARPs, but so far have not had success.
Is there any way to set up a pool of addresses that will work correctly in this scenario? I'm running PFSense 2.2.2 NanoBSD.
Thanks,
Jeff
-
You want IP alias type VIPs, those will behave the same as the WAN IP.
-
Thanks. And how do I make them an address pool?
Do I create an alias with each of the IPs in it and reference that in a single outbound NAT rule?
Or do I create a set of new outbound NAT rules, one for each VIP and reference the VIP in the Translation field?
Or something different?
Thanks,
Jeff