First, you should feed the rc1 full update anyway as it contains freebsd updates that are not included if you only sync out code from the mirrors. Run a cvs_update.sh RELENG_1 after manually updating at the webgui to get fixes that were made after the update file was generated.
Which kind of VIP works for you depends mainly on how your WAN connection looks like and what you want to do with it. There are some limitations for some of them: - ProxyARP: Replies for the additional entered IP-Adress with the same MAC-Adress the real interface has the VIP lives on. It simulates Layer2 Messages for this IP. Can be used with IPs outside the real interfaces subnet. Unless you forward traffic this IP can't be utilized by the firewall itself (like answer to pings, work as endpoint for services running at the firewall itself,...). - CARP: CARP generates a random fake MAC-Adress for the additional IP at bootup and uses this to answer at Layer2 for this IP (will change at next bootup as it is randomly generated). For the opposite end the pfSense Interface then looks somehow like a switch with these IP's connected to it. Additional to this CARP can be utilized to build a cluster for redundancy. Each CARP IP broadcasts a keepalive so other nodes in the same cluster know it's still alive (that's what the password is needed for). If the keepalive fails another node in the cluster will take over the IP and same MAC of the died node. This usually happens in around 1 second or even less than a second so nobody will notice the failure of the former master node. CARP IPs have to be part of the real interfaces subnet. CARP IPs can be used for services running at the firewall directly, can answer to Pings without being forwarded, ... . CARP won't work for PPPoE or DHCP WANs. - Other: Other just tells the firewall to accept the additional IPs without generating Layer2 replies for it. You usually can use this if the additional IPs are routed to you without the need to answer at Layer2 to get the traffic for this IP to you. Traffic has to be forwarded and can't be used by the firewall itself. Preview for the next version of pfSense: We'll have an additional VIP type in the next version (already implemented in HEAD Codetree) which utilizes "interface alias", which works similiar to proxy arp but without the limitations of it. ProxyARP might get removed then as this way is better and does the same plus more. I usually set up additional IPs as CARP as this should nearly always work and it gives me the flexibility to just add a failovernode later if needed without transforming the configuration. Another thing we experienced in the past with VIP problems is caused by the router/device in front of you not learning the ARPs correctly when adding a VIP. In that case you should just reboot the device or flush the cache manually and see if it works after that. Hope this helps a bit, Holger > -----Original Message----- > From: Robert Goley [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 22, 2006 4:14 PM > To: support@pfsense.com > Subject: [pfSense Support] Outbound NAT questions > > > I am still working with the advanced outbound NAT using > pfsense a policy based > dual wan router. The pfsense version is beta 4 but updated > this using the > cvs update script. I am attempting to specify a couple of > machines that > should show that they have the same IP (xxx.xxx.xxx.142). > The interface IP > is xxx.xxx.xxx.138. I have rules in advanced outbound nat > that should set > the outbound IP to be xxx.xxx.xxx.142 but it still shows > xxx.xxx.xxx.138. I > am using IP addresses that are setup as proxy arp. Should > these be CARP or > other for this to work? For that matter, what is the > difference between the > 3 types of virtual IP addresses? Really puzzled on this and > I have not > gotten any response to these direct questions on the list. I > am not blaming, > I know everyone has day jobs. Just need more information > about how this > works. > > Robert > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > ____________ Virus checked by G DATA AntiVirusKit --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
