pfSense Support Subscription

Author Topic: We have a strange issue with 1 public IP while moving from 1.2.3 to 2.0.1.  (Read 850 times)

0 Members and 1 Guest are viewing this topic.

Offline itmanager

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
We have been running pfsense for several years on a hardware firewall, version 1.2.3 - working great, love it!  We recently built a 2.0.1 box in esxi 5, so far so good.  The problem is there is one public IP which was setup as a carp interface on the old box which is not working on the new box.  It's as if the traffic is going into a black hole... let me explain:

public IP >> 1.2.3 (carp virtual interface) >> firewall rules >> dmz host << this setup works fine.
public IP >> 2.0.1 (proxy arp interface) >> ??  << it appears to stop, as if the virtual IP traffic is not making it to the firewall; I can't ping it, nor can I use ssh, ftp, http or https even though the rules are configured for it to work and the rules are setup correclty.  Nothing in the log indicates it's blocked - however nothing in the logs indicates it's arriving either...

Now, if I change the one to one nat to any other public IP, it works fine.  This is one of 30 public IPs that we have assigned and this is the only one that doesn't work.  The only difference going from 1.2.3 to 2.0.1 is the proxy arp setting.  I setup the 2.0.1 server with proxy arp but that doesn't work either (black hole).  I did not have time to test the 'bad' public IP going to a different internal IP but was wondering if anybody has expirience with moving a proxy arp interface from a 1.2.3 box to a 2.0.1 box.  I can't explain why it's not working.  Every other rule, virtual ip, route, etc is working fine.  I'd change the public IP for the host, but it's doing FTP and we have a number of clients who would also have to change so that's not going to be easy.

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
CARP IP will have a different MAC than proxy ARP, you're probably hitting a stale ARP cache upstream that you'll have to clear so it stops sending to the CARP MAC.

Offline itmanager

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
That  makes perfect sense and confirms a couple of suspicions...  I need to work out the best way to test this out so I'll post an update in the next few days.  Thanks for the info!

Offline itmanager

  • Newbie
  • *
  • Posts: 10
  • Karma: +0/-0
    • View Profile
It appears to have been arp - pointing out that the CARP interface had a different MAC was the key - thank you so much!