Hundreds of VIPs: CARP or Proxy ARP?



  • Hello

    I have two pfSense firewalls (1.2-RELEASE on CF cards) in a CARP configuration like this:

    WAN: xxx.xxx.17.1/24
    LAN: 10.0.0.0/8
    SYNC: 192.168.200.1/24

    I have added a number of virtual IPs using CARP and everything works very well.

    I now need to add 128 more virtual IPs with 1:1 NAT to a subnet of the LAN
    xxx.xxx.17.128/25 mapped to 10.0.0.128/25

    I'd like some advice on the best way to do this. SHould I
    a) add them all as individual CARP VIPs. Is there a problem with having so many CARP VIPs? Bearing in mind that this needs to be scalable; we may need to add a lot more in the future.
    b) add them as ProxyARP VIPs. This is easier to manage as I can add networks of proxyARP addresses, which correspond to the networks that I define in the 1:1 NAT rules. But I  don't know how ProxyARP works with two pfsense firewalls in a cluster; when I add the proxyarp subnet on the slave, do they become active immediately, or only on failover?

    Many thanks for your time,

    Julian



  • There is a limit of 256 VHIDs, hence a limit of 256 CARP IPs. You'll want to route the additional subnet to one of your CARP IPs and use Other VIPs, don't use PARP with two firewalls, it won't failover properly and will cause problems.



  • Thanks for your reply.

    My solution has been to make CARP VIPs for the dozen-or-so hosts that are important, and then add a Proxy ARP subnet on the master firewall for the /25 network that is not so critical, for which I don't really need failover.

    It seems to work fine.

    However, your reply troubles me somewhat: when you say

    don't use PARP with two firewalls, it won't failover properly and will cause problems.
    could you be more specific? What are the problems that I can expect, other than the PARP VIPs not being available on the slave firewall when a failover happens?

    many thanks, Julian



  • Hello,

    we want to add some IP's from a different subnet as VIP's. From my understanding, we cannot add those as CARPS but only as OTHER and PARP. I thought the only difference was that those VIP couldn't be usable by the firewall itself as mentionned here : http://forum.pfsense.org/index.php/topic,3987.msg24632.html#msg24632

    Now you are saying that failover won't work with those VIP's ? Did i miss something or is it then impossible to have failover when dealing with 2 different subnets of VIP's ?

    Thank you for your answer.



  • One of the differences mentioned in the post you cite:  Can be used for clustering (master firewall and standby failover firewall)
    So, yes PARP VIPs will not failover. Other VIPs may work. You could also try adding an alias IP for each firewall on the secondary subnet, then using CARP.
    Here is an old post with some of my observations. I don't think much has changed:
    http://forum.pfsense.org/index.php/topic,7039.0.html



  • @juliansomers:

    However, your reply troubles me somewhat: when you say

    don't use PARP with two firewalls, it won't failover properly and will cause problems.
    could you be more specific? What are the problems that I can expect, other than the PARP VIPs not being available on the slave firewall when a failover happens?

    That was assuming you put them on both firewalls. If you only put them on one it won't be a problem, but won't fail over either. The proper solution is to have your provider route the additional subnets to one of your CARP IPs, then you can use Other VIPs and will have proper failover.


Log in to reply