CARP and ESXi: trick to get multiple MACIDs working?
-
I've cross-posted this to the Virtualization subforum as well, since it involves both topics. Hopefully that is not against the rules.
I have a cable modem connection with multiple static IPs. The modem is in bridge mode.
Normally I would just assign one main IP to the pfsense interface, and then assign the other static IPs as virtual IPs to the same interface.
However apparently this ISP requires that each static IP be associated with a single unique MACID.
It seems that in this situation that CARP is the tool for ensuring that each Virtual IP has a different MACID.
It isn't working for me.
I've followed the directions here: https://doc.pfsense.org/index.php/CARP_Configuration_Troubleshooting#Hypervisor_users_.28Especially_VMware_ESX.2FESXi.29 and enabled Promiscuous mode and allowed Mac Address Changes and Forged Transmits.
The connection still behaves as if I've assigned multiple IPs to the same MACID (which is to say it doesn't work).
Of course I've reset the modem several times and it makes no difference.
It seems to me that either CARP is not working as it should on the pfsense side, or there is an underlying compatibility problem with ESXi and it is not allowing multiple MACiDs to exist on the same interface, and therefore is not passing on those CARP MACIDs to the modem.
Anyone have any advice for how I should proceed from here?
Running pfsense 2.3.2 on ESXi 6.0.
-
I removed the second post, cross-posting identical (or nearly so) messages is not something we like to see.
CARP is not going to accomplish what you want there. The requests have to originate from different MAC addresses and the only way for that to happen is to use additional interfaces. You can link up several more virtual NICs in ESX to the same WAN segment, but that's really ugly as only one of them will actually be used for outgoing traffic.
Depending on what you're trying to accomplish, it might be best to bridge a local segment to WAN and allow devices needing those extra outside IP addresses to pull them directly.
That or convince the ISP to route them to you properly instead of requiring multi-MAC DHCP nonsense…
-
MACIDs are fairly trivial to spoof. Why not offer an option to specify the MACID for a virtual IP within the pfSense webGUI? To me, this seems like the most elegant, straightforward and simple solution.
This is a national ISP and I'm using their standard "business-class" cable service. They aren't going to make any special exceptions for me (I've tried, multiple times, escalating the case as far as it would go). And upgrading to a more expensive service is not an option either. And there are no viable competitors that offer service in the same area, especially not at the speeds I need.
-
So we all know, which ISP is doing this? Seems like something Comcast would come up with.
-
MACIDs are fairly trivial to spoof. Why not offer an option to specify the MACID for a virtual IP within the pfSense webGUI? To me, this seems like the most elegant, straightforward and simple solution.
Because it's not possible do that.
-
MACIDs are fairly trivial to spoof.
Maybe for the one for the interface itself. Not several on one interface.
-
I removed the second post, cross-posting identical (or nearly so) messages is not something we like to see.
CARP is not going to accomplish what you want there. The requests have to originate from different MAC addresses and the only way for that to happen is to use additional interfaces. You can link up several more virtual NICs in ESX to the same WAN segment, but that's really ugly as only one of them will actually be used for outgoing traffic.
Depending on what you're trying to accomplish, it might be best to bridge a local segment to WAN and allow devices needing those extra outside IP addresses to pull them directly.
That or convince the ISP to route them to you properly instead of requiring multi-MAC DHCP nonsense…
Sorry to drag up an old thread but the following article says that this IS possible:
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
Is the article wrong?
-
The firewall sends out traffic from the interface MAC. It can receive traffic using the CARP MAC.
It won't satisfy all of the requirements for this ISP if it requires both.
