Virtual IP Scenarios
-
Hello! I've always looked at Virtual IP's and never really understood what they'd be good for, could somebody give scenarios?
I see people talking about running web servers with them, email servers, and setting them up for outbound. What's some neat things that they can do that would persuade somebody to try them out?
I read the wiki, still left me confused.
Thanks!
-
I have a board with IPMI and there is a bug / feature in the firmware that does not allow me to use IP from the LAN subnet for IPMI, but I want IPMI to be able to synchronize the time and access some services over the local network. I have created VIP on pfSense and static IP on IPMI in the same subnet and now I have all I need. I have only one device and it's home network, so I don't need to create VLANs and buy new hardware for it.
-
Multiple IP's from your ISP can be used on the same WAN. I use one right now. So DHCP address for my normal stuff.. Virtual IP which is my one static which I use for a couple of servers.
-
Thank you w0w & chpalmer for the responses.
What use would I have for my scenario? A few game servers, a GRE running to hide my game server's IPs, a few VPNs, about 7~ clients, voice server, and a web server.
Planned: Multiple game servers, larger website, email server, sql server, and still 7~ clients.
If there is no use, what's the most common scenario for one? I'm interested in them but I don't see a whole lot about them.
Thanks!
-
I use a virtual IP for my Unlque Local Address. In addition to my addresses from my ISP, I set up another local address range to experiment with. So, my computer has global addresses, from my ISP and local addresses from a block I created.
One thing about IPv6 is that multiple addresses on a NIC are not only allowed, they're expected.
-
"what's the most common scenario for one?"
They allow you to and another IP to an interface.. Seems pretty straight forward to me.. This IP could be in the same network as the IP actually on the interface. I could be in a different network than the IP on the interface. Normally that is somewhat borked because your now running multiple layer 3 on the same layer 2. But it can have its uses now and then, etc.
The most common use would be your ISP gives you a /29 for example… This is not routed to you, but meant for you to be able to connect multiple machines. But you only have the 1 router/firewall you want to connect and you don't want to connect your machines directly.
So you could setup multiple interfaces on your router and connect them to your wan and setup the IPs directly on the interface. Or you could just ad the VIP address to your interface and now you can use that for port forwarding, outbound natting, etc.
You don't get what use multiple IPs have? Do you have multiple IPs from your ISP? If so you put them on your wan interface of pfsense. Now if you hit ip 1.2.3.4 from internet you get forwarded to game server 1, if you hit 1.2.3.5 you get forwarded to game server 2, etc.
-
I could be in a different network than the IP on the interface. Normally that is somewhat borked because your now running multiple layer 3 on the same layer 2.
Actually, with IPv6, that sort of use is intended. My use with ULA is just one example. There's also no reason why you couldn't have different addresses from multiple ISPs on a network. One reason for doing this might be a backup. The standby network is always up and ready to go. Which is used depends on the RA priority, so if the main router fails, then the lower priority standby takes over. There are other reasons. Of course, we can't forget about the good ol' link local address, which every IPv6 capable device has.
With IPv6, we have to forget about many of the conventions that applied to IPv4 due to it's limited address space. They no longer apply with IPv6.
-
"My use with ULA is just one example"
Your use of ULA on an interface with a global IPv6 is a perfect example of what NOT TO DO ;) Its running multiple layer 3 networks on the same layer 2 which is borked be it ipv4 or ipv6 to be honest.
Please do not compare your ULA setup to link-local addressing. Its not the same thing at all.. What your doing is like putting a rfc1918 network on the same interface you have pubic IPv4 address on. It has no real world use case that would make sense.
Backup network for when your RA is down? Pointless in any real world setup.. If your RA is down and you can not get somewhere then fix it! Make sure your RA doesn't go down would be where attention should be placed not on some backup plan to be able to use ula..
I agree with you that lots of conventions change with ipv6.. Running multiple layer 3 on same layer 2 is not one of them ;) The whole thing with dual stack is just really a necessary evil during the transition period between the 2 different IP protocols ipv4 and ipv6..
Example I would think of of vip that is in different network would be a loopback address for some sort of management.. Or as a transition mech as you migrate from one address scheme to another scheme, etc.
-
Please do not compare your ULA setup to link-local addressing. Its not the same thing at all.. What your doing is like putting a rfc1918 network on the same interface you have pubic IPv4 address on. It has no real world use case that would make sense.
Funny how I keep reading about how multiple addresses on IPv6 was intended.
Backup network for when your RA is down? Pointless in any real world setup.. If your RA is down and you can not get somewhere then fix it! Make sure your RA doesn't go down would be where attention should be placed not on some backup plan to be able to use ula..
Actually, I have worked on business networks where that might have been useful. I have worked on network equipment for Starbucks and Tim Horton's. Both have a main connection via ADSL or cable and both have a backup over the cell network. They actually have to poll the main connection regularly, to determine when the main connection has failed, to trigger the switch to the backup connection, as they weren't able to use a routing protocol, such as OSPF, to handle the failure. In this case, having a standby router and RA priority would have worked.
Running multiple layer 3 on same layer 2 is not one of them
Well, if you have a global address, you have at least 2 layer 3 addresses, as you also have link-local. That's 2 by my count. My example of ULA might be used with IoT, where you don't wan't to have the devices directly reachable from the Internet, but do want to reach them from a local computer or other device.
Here's what RFC 7934 says:
2. Common IPv6 Deployment Model
IPv6 is designed to support multiple addresses, including multiple
global addresses, per interface (see Section 2.1 of [RFC4291] and
Section 5.9.4 of [RFC6434]). Today, many general-purpose IPv6 hosts
are configured with three or more addresses per interface: a link-
local address, a stable address (e.g., using 64-bit Extended Unique
Identifiers (EUI-64) or Opaque Interface Identifiers [RFC7217]), one
or more privacy addresses [RFC4941], and possibly one or more
temporary or non-temporary addresses obtained using the Dynamic Host
Configuration Protocol for IPv6 (DHCPv6) [RFC3315].In most general-purpose IPv6 networks, hosts have the ability to
configure additional IPv6 addresses from the link prefix(es) without
explicit requests to the network. Such networks include all 3GPP
networks ([RFC6459], Section 5.2), in addition to Ethernet and Wi-Fi
networks using Stateless Address Autoconfiguration (SLAAC) [RFC4862].
https://tools.ietf.org/html/rfc7934IPv6 is designed to support multiple addresses and I really don't understand why you're so hostile to the idea, when the IETF encourages it.
-
I agree with you that lots of conventions change with ipv6.. Running multiple layer 3 on same layer 2 is not one of them ;) The whole thing with dual stack is just really a necessary evil during the transition period between the 2 different IP protocols ipv4 and ipv6..
I wasn't even thinking of dual stack. The sooner we move to IPv6 the better. However, it wasn't that long ago many networks were dual stack IPX & IPv4. When I was at IBM, the first time I worked there, I had IPv4, NetBIOS and SNA on a token ring network. The 2nd time I worked there, it was all IPv4 on Ethernet.
