Help with FTP - easy to change to CARP VIPs?

Guest

I read the wikipedia articles, but I can't say that they were helpful.

So why isn't CARP the default VIP type?  Why would anyone ever use Proxy ARP type VIPs when some things (like the ftp helper) don't work with them? (Assuming they aren't running VRRP in a data center/enterprise environment)

When I first put my pfSense box into place, my servers were unaccessible for several hours as I tried to troubleshoot what went wrong.  Switching back to the old firewall didn't help either.  I finally got it fixed by calling my ISP and having them clear their ARP cache on their cisco router that they have on site here.  I'm really worried about screwing something up again if I change my virtual IPs to CARP.

Guest

Anyone have more input?

dotdash

IMO, CARP adds complexity and should be used when you need it and understand it. Proxy-ARP is simpler and mostly harmless.
PS- Don't tell anyone I said so, but the easiest way to clear the ARP cache of a provider's router involves the power switch.

Guest

dotdash, could you elaborate a little?  Do you think I'd have any problems if I switched all my virtual IPs from ProxyARP to CARP?  Might this affect the ARP routing at all?

dotdash

With proxy-ARP, the firewall will respond to the ARP request with it's MAC address. CARP uses a bogus MAC, so you could have an issue with the upstream ARP cache. If it were me, I'd cycle the providers Cisco- but I have been known to be impetuous.

Guest

Excellent, this is exactly the info I was looking for, thank you.

Guest

So I went to go do this, and received an error: "You must specify a CARP password that is shared between the two VHID members."

First of all, there is no CARP password field on the page.  There is a "virtual ip password".  Is that what its talking about?  And what is this password used for?

Can someone shed some light on this?

dotdash

The CARP password is the 'virtual ip password'. It is used to secure the CARP traffic between cluster members. You don't care about this, so just enter anything and save it.

Guest

Thanks.  What about the drop down after the IP address?  Everwhere else in pfSense this has been a CIDR number.  Here is specifically says its not - that instead its the network netmask.

So my WAN IP uses a CIDR number of 26 (because its netmask is 255.255.255.192).  This virtual IP is coming from that same network.  So would I use /26 again?  Or /32 to indicate that this is just a single virtual IP?

dotdash

You use the actual netmask of the WAN. So in your case, /26.

Guest

Thank you, I've changed the IP type, and everthing still seems to be ok - I can still access the website.

Unfortunately passive ftp is still not working.  I have port 21 open in the firewall (active FTP is working), and I've left the "Disable the userland FTP-Proxy application" box on the WAN screen unchecked.  Is there anything else I need to do?

Guest

In case this helps anyone - I did not have any issues going from ProxyARP to Carp type of virtual IPs.

But when I switched back (because I never could get the FTP helper to work), the Cisco router did NOT pick up on the new MAC address, and traffic wasn't being routed properly.  I had to call my ISP and have them clear their ARP cache for that particular IP.