Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ARP/GARP issues when setting up outbound NAT to use multiple public IPs

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 955 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hefferbub
      last edited by

      My site includes 100 households sharing a fiber through PFSense.  We currently have all general traffic NATed out to the single IP of the WAN interface.  This works fine except we sometimes get problems on websites (like Google search or Craigslist) that complain about seeing too many requests from one IP–presumably they think our traffic is some kind of bot spamming them, and they cut us off.

      Since I have some additional IP addresses available, I want to set up outbound NAT to use more than one public address for my outbound traffic (as described in the docs at https://doc.pfsense.org/index.php/Outbound_NAT).

      I have tried several ways of creating an outbound address pool, including an alias and various flavors of Virtual IPs, but none of them work.

      The problem, I think, is that my ISP uses Tellabs fiber termination equipment, and that is set to block traffic to/from any IP until it sees a properly configured ARP packet come from that IP.

      When I select an IP address and use it as the address of the WAN interface, it works great.  Presumably PFSense sends the proper ARP when the interface comes up.

      However, if I instead set up a virtual IP to a similar address and tell my outbound NAT to use that, no traffic will pass--it does not seem to send the proper ARP.

      I found that I could do a hack to make an address work by first temporarily assigning it to the WAN interface and bringing it up (which satisfied the Tellabs equipment), then reverting the interface and setting the outbound NAT to use that address through a virtual IP.

      But that approach seems destined to fail whenever the Tellabs equipment gets reset or decides the connection is stale and starts blocking traffic again. I have also tried using the arping package to manually send ARPs, but so far have not had success.

      Is there any way to set up a pool of addresses that will work correctly in this scenario?  I'm running PFSense 2.2.2 NanoBSD.

      Thanks,

      Jeff

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        You want IP alias type VIPs, those will behave the same as the WAN IP.

        1 Reply Last reply Reply Quote 0
        • H
          hefferbub
          last edited by

          Thanks.  And how do I make them an address pool?

          Do I create an alias with each of the IPs in it and reference that in a single outbound NAT rule?

          Or do I create a set of new outbound NAT rules, one for each VIP and reference the VIP in the Translation field?

          Or something different?

          Thanks,

          Jeff

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.