Extra public IPs not working
I may be having the same (or a similar) issue. Running nanoBSD pfSense 2.2.3 64-bit.
Have Verizon Business Fios with a block of 5 static IPs.
I have 3 of them pointed at 3 servers in my DMZ (172.19.69.0/24) using 1:1 NAT.
I have a WAN firewall rule that allows traffic to the DMZ…
...and a DMZ firewall rule that allows traffic to anything except the LAN.
This exact configuration (different ISP and IPs) works at my office. However, here at my house, it isn't working.
I can access the servers in the DMZ (172.19.69.0/24) directly from my LAN (10.19.69.0/24).
I can access the public static IPs from my LAN successfully using NAT reflection.
But there's no response at all when accessing the public static IPs from the outside world.
I tried running a packet capture on the public static IPs from the WAN interface, but it doesn't show any packets captured.
The weirdest part is that I can plug my laptop directly into the fiber ONT (bypassing pfsense) and talk successfully on any of the public static IPs. Any ideas?
Split this into its own topic. It sounds like the same root cause in that your modem/next hop router isn't sending you the traffic, but there are a wide range of reasons that could occur.
Did you add IP alias type virtual IPs for the public IPs? I'm guessing that's probably not the issue given you see nothing at all on WAN for those IPs, and without VIPs you'd see repeated ARP requests for those IPs and it sounds like that's not the case.
Since you plugged in another device on those IPs, your Fios modem/router likely is hanging onto those MACs. Power cycling it, after disconnecting anything else with those public IPs assigned, likely will suffice.
After a good night's rest, I actually came to the same conclusion.
And you're absolutely right, it was the virtual IPs. :) Problem is solved! Thanks!
Strangely enough, at my work on a different ISP, the virtual IPs weren't required (which is what is most confusing about this config).
Even stranger is that I plugged my laptop into the WAN my older cisco router (that was working), pinged the public static IPs, then checked the ARP table only to find that all static IPs had the same MAC address…very strange. I don't understand how that worked.
Anyway, color me slightly confused, but I'm grateful that the current pfSense box is working.
Whether or not VIPs are required depends on your ISP's setup. If they're routing them to you, no need for VIPs. Where you must answer ARP on them, you must have a VIP type that answers ARP. Where you have multiple aliases on the same device, they all show up as the same MAC. Outside of circumstances like CARP, VRRP, and HSRP that use virtual MACs, there is only one MAC on a given interface and all the IPs on that interface use it.