Dropped Connection on Additional / Multiple WAN IP Addresses

From:	"Marty Zigman" <marty dot zigman at prolecto dot com>
To:	<m0n0wall at lists dot m0n0 dot ch>
Subject:	Dropped Connection on Additional / Multiple WAN IP Addresses
Date:	Thu, 4 Jan 2007 10:33:48 -0800

Hello,

First, I want to say I am very enthusiastic about the MonoWall product
and I am appreciative of all the energy that has gone into it!

My goal is to simply setup multiple IP addresses on WAN and be able to
NAT them to my private IP space on LAN.  My ISP gives me the following
static block 72.35.231.160/28.  I have set up 72.35.231.171 to be the
primary address with a /28 definition.   I setup my gateway to be
72.35.231.161.  All traffic goes through NAT as expected.  
 
I want to NAT  72.35.231.163 to my private network on LAN.  I go to
Server NAT and add an additional external address for 72.35.231.163.  I
then create my NAT rule against the 72.35.231.163 address.  Sure enough,
I can connect to my service in the private network but only for about 30
seconds.    If I try to reconnect, it is blocked.  If I wait about 15 to
30 minutes, I can connect again to my service only to experience the
disconnect again after about 30 seconds.  I enabled Proxy Arp for the IP
Address and this did not seem to make a difference.
 
The configuration utilizes a switch to bridge the MonoWall to the ISPs
router.  I speculate this could be causing a problem.  On the same
switch, I have another Astaro firewall that I am hoping to migrate to
MonoWall.  It looks like the following:
 
ISP-----> Switch---> Monowall
Router-> Switch---> Astaro Firewall
 
The Astaro has a nice feature called "Additional IP on Interface" and I
have successfully used this to get multiple IP addresses working.  I
have confirmed that the Astaro firewall is not referencing any of the IP
addresses I am trying to reference via Monowall.
 
Any thoughts would be greatly appreciated!
 
Marty