On 2015-Mar-08, at 3:53 PM, Espen Johansen <pfse...@gmail.com> wrote:
> I beleive the key to this is proxy arp. > > Brgds, Espen > 8. mars 2015 23:50 skrev "Bryan D." <pfse...@derman.com>: > >> While we're on the topic, I have a functioning v2.2 setup that uses a /29 >> set of static IPs: >> - 1 IP is the gateway address and 5 IPs are "usable" (quite common, I >> believe) >> - one of the "usable" IPs is assigned to the WAN interface >> - the other 4 "usable" IPs are assigned to VIPs >> - the WAN IP and VIPs have various port-forward and NAT rules associated >> with them >> - the WAN IP and 2 of the VIPs serve 3 different domains >> (e.g., web, email, VPN -- servers are behind the firewall on isolated >> LAN) >> - one of the other VIPs is used by mobile VPNs (IPsec and OpenVPN) >> >> All this works nicely ... as long as the VIPs are CARP VIPs. However, >> since I'm not using any fail-over/redundancy, I don't think I should >> require CARP VIPs (and I suspect that using CARP VIPs is the reason that, >> when the cable modem goes down, I can't get at the pfSense webconfigurator >> until I unplug the WAN cable ... it's OK after I plug it back in, even if >> the cable modem is still down, but it does need to be unplugged???). >> >> My interpretation of the nice chart and notes on >> https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses >> leads me to believe that I can switch the CARP VIPs to be IP Alias VIPs. >> However, when I do that, the 2 servers for the 2 domains tied to the VIPs >> are no longer accessible from the Internet (but IIRC, the mobile VPNs still >> work). >> >> Can anyone suggest what it is that I don't understand (well, limited to >> this behavior, at least)? Nope, I switched one to be a Proxy ARP VIP ... and it went "dead" (i.e., site becomes inaccessible from Internet), same as when switched to an IP Alias VIP. Logically, it seems like an alias is what I want since I just want an "entry point" (to the real WAN interface) for the other static IPs, after which they're routed/filtered based upon their destination static IP, etc. The web page reads: CARP • Can be used for NAT. • Can be used by the firewall itself to bind/run services. • Generates ARP (Layer 2) traffic for the VIP. ... IP Alias • Can be used for NAT. • Can be used by the firewall itself to bind/run services. • Generates ARP (Layer 2) traffic for the VIP. ... So, for what I'm doing, an IP Alias VIP seems like it should work where a CARP VIP works -- but it doesn't appear that a Proxy ARP VIP should, since I think I'm using them by the "firewall itself" (i.e., port forwarding and NATing) ... no -- or does that mean something different? Proxy ARP • Can be used for NAT. • Cannot be used by the firewall itself to bind/run services. • Generates ARP (Layer 2) traffic for the VIP. ... _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
