First, you should feed the rc1 full update anyway as it contains freebsd 
updates that are not included if you only sync out code from the mirrors. Run a 
cvs_update.sh RELENG_1 after manually updating at the webgui to get fixes that 
were made after the update file was generated.

Which kind of VIP works for you depends mainly on how your WAN connection looks 
like and what you want to do with it. There are some limitations for some of 
them:

- ProxyARP:
Replies for the additional entered IP-Adress with the same MAC-Adress the real 
interface has the VIP lives on. It simulates Layer2 Messages for this IP. Can 
be used with IPs outside the real interfaces subnet. Unless you forward traffic 
this IP can't be utilized by the firewall itself (like answer to pings, work as 
endpoint for services running at the firewall itself,...).

- CARP:
CARP generates a random fake MAC-Adress for the additional IP at bootup and 
uses this to answer at Layer2 for this IP (will change at next bootup as it is 
randomly generated). For the opposite end the pfSense Interface then looks 
somehow like a switch with these IP's connected to it. Additional to this CARP 
can be utilized to build a cluster for redundancy. Each CARP IP broadcasts a 
keepalive so other nodes in the same cluster know it's still alive (that's what 
the password is needed for). If the keepalive fails another node in the cluster 
will take over the IP and same MAC of the died node. This usually happens in 
around 1 second or even less than a second so nobody will notice the failure of 
the former master node. CARP IPs have to be part of the real interfaces subnet. 
CARP IPs can be used for services running at the firewall directly, can answer 
to Pings without being forwarded, ... . CARP won't work for PPPoE or DHCP WANs.

- Other:
Other just tells the firewall to accept the additional IPs without generating 
Layer2 replies for it. You usually can use this if the additional IPs are 
routed to you without the need to answer at Layer2 to get the traffic for this 
IP to you. Traffic has to be forwarded and can't be used by the firewall itself.

Preview for the next version of pfSense:
We'll have an additional VIP type in the next version (already implemented in 
HEAD Codetree) which utilizes "interface alias", which works similiar to proxy 
arp but without the limitations of it. ProxyARP might get removed then as this 
way is better and does the same plus more.

I usually set up additional IPs as CARP as this should nearly always work and 
it gives me the flexibility to just add a failovernode later if needed without 
transforming the configuration.

Another thing we experienced in the past with VIP problems is caused by the 
router/device in front of you not learning the ARPs correctly when adding a 
VIP. In that case you should just reboot the device or flush the cache manually 
and see if it works after that.

Hope this helps a bit,
Holger


> -----Original Message-----
> From: Robert Goley [mailto:[EMAIL PROTECTED]
> Sent: Thursday, June 22, 2006 4:14 PM
> To: support@pfsense.com
> Subject: [pfSense Support] Outbound NAT questions
> 
> 
> I am still working with the advanced outbound NAT using 
> pfsense a policy based 
> dual wan router.  The pfsense version is beta 4 but updated 
> this using the 
> cvs update script.  I am attempting to specify a couple of 
> machines that 
> should show that they have the same IP (xxx.xxx.xxx.142).  
> The interface IP 
> is xxx.xxx.xxx.138.  I have rules in advanced outbound nat 
> that should set 
> the outbound IP to be xxx.xxx.xxx.142 but it still shows 
> xxx.xxx.xxx.138.  I 
> am using IP addresses that are setup as proxy arp.  Should 
> these be CARP or 
> other for this to work?  For that matter, what is the 
> difference between the 
> 3 types of virtual IP addresses?  Really puzzled on this and 
> I have not 
> gotten any response to these direct questions on the list.  I 
> am not blaming, 
> I know everyone has day jobs.  Just need more information 
> about how this 
> works.    
> 
> Robert
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> 
> 

____________
Virus checked by G DATA AntiVirusKit


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to