Hi all,
We've recently implemented a pfsense firewall to replace our old
firewalls (1 WatchGuard FireBox III and 1 M0n0wall). We are, however having
some issues with the new firewall, our topology is presented below (excuse
the dodgy ASCII art, if you can't read it copy it into Notepad or similar);
ADSL2 ADSL2
| |
| |
+---------+ +----------+
| Linksys | | D-Link |
| AM300 | | DSL-504G |
+---------+ +----------+
\ /x.x.208.65/29
\ /
\ /
WAN (PPPoE)\ / WAN2 (OPT2)
x.x.184.47/32\ / x.x.208.69/29
+----------+
| pfSense |
| Firewall |
+----------+
10.0.0.254/24/ \ 192.168.10.254/24
LAN/ \DMZ (OPT1)
/ \
/ \
+----------+ +---------+
| Internal | | DMZ LAN |
| LAN | | |
+----------+ +---------+
Both WAN links have external Static IPs, each also has a public /29
associated with it, for this query the only one we're interested in is
x.x.208.64/29.
WAN is the internet feed for the office, WAN2 is dedicated to providing
connectivity for the servers in the DMZ.
We need to NAT several systems in the DMZ to several of the public IPs, this
requires that x.x.208.66-70 all be assigned to the WAN2 interface.
I'd initially set up Proxy ARP Virtual IPs for 66,67,68&70 (as /32 mappings
as they are single addresses being mapped), my initial testing involved
connecting a machine to the DMZ interface on pfSense (with all the relevant
IPs setup as aliases on it's network adapter), connecting another machine to
the WAN2 interface (with it's IP set as x.x.208.65), I setup netcat
listeners on the appropriate ports & IPs on the machine attached to DMZ and
confirmed that I could connect from the laptop attached to WAN2 (x.x.208.65)
to all the mapped ports/IPs, all worked 100%.
We put it in production, initially cutting over just WAN and LAN, after some
minor teething difficulties (link took a long time to come up).
Next step we cutover WAN2 and DMZ, all the NAT mappings from x.x.208.69 (the
interface IP) worked 100%, none of the other mappings worked (all setup as
Proxy ARP x.x.208.y/32).
In an attempt to diagnose the fault I tcpdump'ed the WAN2 interface and
watched a connection attempt from outside, I saw x.x.208.65 posting ARP
requests for x.x.208.70 but I saw no replies.
I switched one of the mappings over to CARP, that seemed to work but the
machine started spontaneously rebooting when I added a second CARP mapping,
I switched both mappings back to Proxy ARP and the reboots stopped.
Any suggestions would be greatly appreciated.
Where can I find functional descriptions of CARP/Proxy ARP/Other mappings
(or better yet, a comparison of them)
Thanks,
Morgan
