ARP problems
-
Pfsense box is setup the following way:
em0 = WAN (82.36.115.86)
em1= LAN (192.168.1.1)my LAN nodes = 192.168.1.2, 192.168.1.3
before i log into the webgui i ping all the ip's above and they all respond.
While in the Webgui i have sucessfully setup the NAT Portforwarding for 1.2 & 1.3 and used the auto Firewall config at bottom to setup rules.
Both IP's were forwarding and working fine, 1.3 is a winxp box and i was able to browse the web perfectly with firefox.after about 5 minutes the Webgui timed out and i couldn't access the webgui.
so i go to Pfsense box and at Shell(#8) i check ipconfig and all the settings are correct for the interfaces. I try to ping the IPs on my LAN and nothing.
I can ping to google.com fine and other WAN ip's around me just fine.
Now…when i happened to look at arp -a i would see the 2 internal IP's (1.2 & 1.3) sitting there with a at the beginning, then the IP and then the MAC addy.
OK, so i did arp -d 192.168.1.2 & arp -d 192.168.1.3 (Arp entry deleted)
and POWWWW they are both pingable and my Webgui is up.
Now this doesn't last long as after 5 minutes it dies again and i have to do the same thing.
any ideas?
-
While in the Webgui i have sucessfully setup the NAT Portforwarding for 1.2 & 1.3 and used the auto Firewall config at bottom to setup rules.
Both IP's were forwarding and working fine, 1.3 is a winxp box and i was able to browse the web perfectly with firefox.For me this sounds like you could have misunderstood how pfSense works. You don't need to great portforwards to get access to the Internet. If you boot from the livecd and only assign wan and lan then your clients (if set to get an ip from DHCP) should be able to connect to the Internet.
-
I need to have static IP's for my internal network, as i have some processes that will not work with DHCP. The risk of losing a given IP due to lease renewal or some other circumstance would corrupt my work. These internal IP's need to have static addresses.
The way i understood from install is that i can assign WAN a static IP and LAN a static IP as well,
and any ip's on the LAN would have to be Nat'd in order for them to access and communicate with other servers on the net.
so i did this and it worked.
The only problem is that my LAN 192.168.1.3 and 192.168.1.2 die out on me after 5 min. the only way i can get it back is if i do
arp -d 192.168.1.2
arp -d 192.168.1.3then i can ping them and access the webgui @ 192.168.1.1 through firefox on 192.168.1.3
-
To eliminate hardware problems. Boot pfsense from the livecd and let a client boot from a ubuntu livecd.
If ok
Boot pfSense with your current config and let a client boot from a ubuntu livecd.
If ok
Boot pfSense with your current config and use your winxp client.
etc
basically locate the source causing the problem. -
Ok, so here's my follow up to the issue. Here is the setup:
–-------------------------
(Internal Nodes)-----|48port switch|--------<---------------------- Pfsense box----------------------->--------------|48port switch|-----|External Public IP's--------->(192.168.2-7)-------|SWITCH|--------------LAN(em2)192.168.1.1--|----------|-82.46.115.82(em0)WAN-------------|SWITCH|-----------(82.46.115.1-255)
I was able to setup the internal interface em2 as 192.168.1.1 and the external interface em0 as 82.46.115.82.
All the private IPs need to have ssh,http, and https enabled.
Which would be a better approach:
- NAT–->1:1---> ProxyARP with -->outbound NAT and all the proper rules that will forward traffic from external to internal interface.
or
- NAT-->Portforward using single WAN interface address but different ports.
a) Can all the internal clients have ssh,http, and https access from a single interface?
Hopefully this helps, let me know if there is anything i can add.