Vip options in 2.0 Beta-4
-
Guys,
Regarding the pfsense book, and this http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F
In 2.0 i however see:
CARP
PARP
Other
Alias –-> newIs this the same as when i do an ifconfig add inet xxxxxx bge0 for example?
We currently have:
- 24x ip-aliases
- NAT 1:1 those 24 ip's
- Firewall rules through nested aliases: ip-groups + ports groups
Works like a charm! ;)
When we deploy HAproxy shortly, will this work or do i have to revert to CARP?
(which is supposed to be the only type of vip that the FW itself can use, and since HA works on the FW itself ..)Do aliases work more or less the same or is this bad practice?
Changing from alias IP to PARP is easy, CARP seems a bit more work but not undo-able.
Any advice is welcome.
Regards,
Mario.
-
In 2.0 i however see:
CARP
PARP
Other
Alias –-> newIs this the same as when i do an ifconfig add inet xxxxxx bge0 for example?
Yeah, that's basically what it is.
-
Thanks for the reply!
I guess then we have to move to carp's then.
If only there was a Pfsense 2.0 errata for that nice book i bought last year (pfsense the … guide) ;)
closed
-
If you want failover with haproxy, you have to use CARP VIPs, IP aliases can only reside on one system. If you have only one system, either IP aliases or CARP IPs are fine.
-
Cmb,
Thank you very much for the speedy reply!
By one system, you mean one pfsense firewall?.
I know i can't make it a redundant pfsense ' cluster' this way, we stepped away from that approach because of difficulties with VRRP on the wan from the isp, not pfsense's fault as we know, thank you Cisco and IETF ::)We have
ISP–88.x.x.x.x.-->Pfsense ---> cloud 10.x.x.x. )
Pfsense might get HAproxy to loadbalance ie http to the webservers into the cloud.
Maybe i should have been asking:
If i want to use Haproxy on my pfsense fw to LB to my lan-based servers what is the way to go for the vips? carp?
-
If only there was a Pfsense 2.0 errata for that nice book i bought last year (pfsense the … guide) ;)
There will be a new book, far too much has changed for a simple errata list. :)
-
Hi Jim, I was just kidding offcource! ;D
Great i'll order a copy the second it comes out. it's a way to sponsor you guy's a bit too i guess ;) -
By one system, you mean one pfsense firewall?.
I know i can't make it a redundant pfsense ' cluster' this way, we stepped away from that approach because of difficulties with VRRP on the wan from the isp, not pfsense's fault as we know, thank you Cisco and IETF ::)You can still use CARP where your provider is using VRRP (though it may create some log noise on both sides, it will work perfectly fine), just make sure you're using different VHIDs.
If i want to use Haproxy on my pfsense fw to LB to my lan-based servers what is the way to go for the vips? carp?
Which ever you want, if you have one it doesn't matter which you use.
-
@cmb:
By one system, you mean one pfsense firewall?.
I know i can't make it a redundant pfsense ' cluster' this way, we stepped away from that approach because of difficulties with VRRP on the wan from the isp, not pfsense's fault as we know, thank you Cisco and IETF ::)You can still use CARP where your provider is using VRRP (though it may create some log noise on both sides, it will work perfectly fine), just make sure you're using different VHIDs.
I read that in the book, but i wasn't brave or skilled enough at that time. :P
If i want to use Haproxy on my pfsense fw to LB to my lan-based servers what is the way to go for the vips? carp?
Which ever you want, if you have one it doesn't matter which you use.
ok, clear.
Kewl, this i aparentlly didn't fully understand from the book then, now i do
The information here: http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F should be updated a bit then.
it's a bit misleading. But thank you very much for explaining it!