So switching the CARP VIPs to IP Alias VIPs, in my config, does work (as I had originally expected by the "all about VIPs" WiKi page) -- it just takes an hour or so (in our case) for the up-stream equipment to "cache in" on those changes ... as was suggested by a couple of responders.
I've sent the WiKi admin some text to be added under the heading "Implications" (or whatever they may want to title it), since some of the discussion points are likely to be useful to others. <soapbox> BTW, this is a practice I'd encourage others to follow as there's often lots of good information that "steams by" in this mailing list and is posted to the forums. While it is possible to find the information, if you know the correct search terms, it's also often the case that some of the material should be organized and added to the WiKi documentation. Depending upon your writing apptitude, this will often only take minutes to tens of minutes. I look at this as a small way to contribute and to "pay back" for the effort others have spent in helping. If we supply HTML-formatted additions, most of the time the WiKi admin should only have to do a quick read-through before adding the material ... which means that it's likely to get done. <soapbox/> Thanks, again, to all who participated. On 2015-Mar-09, at 6:57 AM, Jim Pingle <li...@pingle.org> wrote: > On 03/08/2015 06:50 PM, Bryan D. wrote: >> My interpretation of the nice chart and notes on >> https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses >> leads me to believe that I can switch the CARP VIPs to be IP Alias VIPs. >> However, when I do that, the 2 servers for the 2 domains tied to the VIPs >> are no longer accessible from the Internet (but IIRC, the mobile VPNs still >> work). >> >> Can anyone suggest what it is that I don't understand (well, limited to this >> behavior, at least)? > > As has been hinted at elsewhere in the thread, your problem is likely > layer 2-related. > > CARP VIPs get their own unique MAC address. Proxy ARP and IP Alias VIP > MAc addresses are shared with the NIC itself. > > Changing from CARP to Proxy ARP or IP Alias would cause the MAC address > of the VIP to change, which may require clearing the ARP cache on the > modem/upstream router/etc. > > Another possibility is that your upstream requires each additional IP > address to have a unique MAC address. We have seen this with some ISPs / > certain modems and it's a bit of a pain. CARP works around it because > each VIP on a different VHID has a unique MAC address, where IP alias > and Proxy ARP VIPs all have the same MAC address. > > So there isn't a clear answer here. Likely, it would be OK to use Proxy > ARP, but you'll need to reboot the modem or upstream router. If that > still fails and CARP works, then your ISP or upstream equipment must be > expecting each IP to have a unique MAC address. > > Jim _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
