Selected ISP Support → DSL Extreme > Additional IPs connections drop after 1 hour

Additional IPs connections drop after 1 hour

Due to power supply problems I recently changed from a Broadmax modem to Comtrend on my DSLX service. The Broadmax worked fine for years. With the Comtrend (bridge mode), connections to the main static IP on my account are fine, but connections to the additional IPs (I have 8 total) stop after exactly 1 hour. Was using Ipcop as the firewall/router with the Broadcom. I've tried Ipcop and pfsense as the firewall/router but neither works with the Comtrend.

An easy way to tell when the connection stops is when firewall hits to the additional IPs stop. I'm also not able to ping or connect to my servers on those IPs from elsewhere on the Internet.

I'm not sure exactly what gets the additional IPs working again. It might be outgoing web traffic. It might be ARP traffic. Don't know, but once working, it only lasts for 1 hour.

Any ideas? Thanks in advance for any suggestions.

Hmmm.

DHCP IP leases are usually done on an hourly basis - as long as you're still using the connection, the IP refreshes itself for another hour, seamlessly. However, you're discussing static IPs... and it sounds like those static IPs ARE in use by devices (servers)... Did nothing else change? You weren't seeing these same disconnections with the Broadmax modem?

As noted, the Comtrend is in Bridge mode, which means it should have no bearing on what you're doing with the connection; all data should pass through and be handled by the device (typically a PC or router) after it.

Thanks for the comments.

The Broadmax didn't have this problem, and nothing else was changed. All I initially did was unplug one modem and plug in the other. And an hour later it wasn't working.

I'm going to look with tcpdump on the firewall to see if there is any unusual traffic when it stops (DHCP, etc).

I'm up for any testing you can think of.

Honestly, the simplest test I can think of is to see what happens if you take the static IP which is working, and assign it to a different device - and take the IP which used to be assigned to that second device, and assign it to the original device. Does the non-connectivity follow the IP?

Send me an IM with your account info, and which IP seems to be the 'stable' one, when you get a chance.

In my case the only connection to the modem is the pfsense router. It's configured with one WAN address and IP aliases for the rest of the public IPs. This is the setup which worked with the old modem.

It seems whatever is configured as the WAN address in the router is stable, and whichever ones are configured as IP aliases drop after 1 hour.

I usually use x.x.x.91 as the WAN address of the router, with all the others as IP aliases. The WAN address is the stable one, and the others drop. As a test I changed the WAN IP to x.x.x.93, and that one became the stable one. IP x.x.x.91 (an IP alias) dropped after 1 hour, even though there was web traffic on it every 5 minutes or so.

I found I can reset the connections to working (for an hour) by unplugging and plugging back in the Ethernet cable on the modem.

Thinking about this for a bit... the fact that the non-connectivity did not follow the IP, would suggest it has something to do with the pfsense box itself not properly running 'keep alive' settings for the aliases.

You mentioned there was traffic on the alias every 5 min or so - outbound or inbound? If it's just some external IP which is pinging that .91 IP every few minutes, that's not the .91 IP itself initiating traffic - so I wouldn't be that surprised if it dropped out after an hour.

On the other hand, if the .91 IP is actually initiating traffic every few minutes and it's still dropping... that'd be very odd indeed.

»blog.pfsense.org/?p=712 - this was posted just this past Sun. Any chance your pfsense got updated to 2.1-Release?

Thanks for the ideas, and all your help.

I did upgrade to 2.1. Was there something you saw that would make a difference?

The 'every 5 minute' traffic is outbound, done by a cron job, initiating a connection and uploading content to a remote web server. As a test, I set up a cron job to make outgoing connections every 5 minutes from 4 of the IPs. After one hour all of the IP aliases stopped connecting. The main IP was still fine.

Do you have an idea of where in the connection is being dropped?

Are there other users you know of who have a similar setup, bridged modem with linux firewall/router? Curious if others use IP aliases like I am, or 1:1 NAT, multiple routers, etc?

No, I don't use pfsense myself - just wondering if the update broke something or reset some setting you had previously configured. Is it possible to roll it back to the previous version?

While some of our users might use IP aliases, I don't know of any such offhand, myself.

I had the same problem in the previous version of pfsense (2.0.3). I just did the upgrade in case it would make a difference. It didn't.

I put in a hack and so far it's working (4 hours now). It seems that probably the gateway is dropping the connection to any of my IPs after an hour if it doesn't see any arp requests from it. Pfsense sends arp requests from the main IP (x.x.x.91) every 20 minutes. For the alias IPs, it sends out an arp request at initial connection, but not after that. I set up cron job in pfsense to send arp requests from each additional IP every 20 minutes, and that's working.

I assume it's the gateway that's the problem, not the modem. If it is there a way to set its arp table timeout for client IPs to infinite?

Been looking into this... but so far, nope. Appears to be a set, hardcoded 1-hour lease since last arp, not something that can be individually customized. Still looking though.

Thanks for looking. I didn't think it would be possible.

My 'fix' isn't working so well now... all the alias IPs are up but the main IP is down. Probably something with my fix the DSLX router doesn't like. Have to check later.

Thanks again. K

Ok, so after getting more information about how that part of our back-end works...

*DHCP* leases are hard-coded 1-hour leases, set to auto-renew if the connection is being used.

Static connections, on the other hand, don't work like that. We automatically send all relevant traffic to you (in this case, to your router), for all of your IPs.

Your router is then responsible for sorting that and basically shouting out, "Mail call! Who's got IP x.x.x.x?". The computer on your end claiming that IP should then speak up and claim the data.

So... very simply, either your router isn't speaking up and telling the computers that data is arriving for them, or the computers aren't talking to the router requesting it. At this point, I suspect it's something misconfigured in pfsense, but as I don't use that I can't advise too much regarding that, sorry.

Thanks for all the work. I really do appreciate it.

I have used tcpdump on the WAN side of pfsense, and it sees traffic addressed to all the IPs, up until the timeout occurs. Then nothing except to the .91 address. Well, for now it's all working... as long as I have pfsense issue arp requests on its WAN interface every so often, from each of the IPs.

Thanks again. I'll ask about this on the pfsense forum, and post back if I find out more. K.