Virtual IPs explained in terms of eth aliasing (for a Linux visitor)



  • Hello everyone,

    pfSense newbie here, coming from Linux world. This post is about eth aliases in my world. Let me just write that pfSense book has been ordered, but we have to move forward with server room install this weekend, so I have some questions. Nothing like the sense of panic :D
    Also, Apologies if my questions seem naive.

    Here is my understanding of PARP/CARP in terms of eth aliases:
    a) PARP is closest to traditional eth aliasing in Linux world. The only difference is that it doesn't allow ICMP and pings.
    b) CARP allows pings. Primary purpose of CARP appears to be redundancy and fail-over setup with multiple pfSense firewalls.
    c) If one needs ICMP protocol, does it follow that the only option is CARP?

    Our setup in short:

    We bought netGate's dual-pfSense firewall. Software build: 1.2.3-RELEASE.

    We have 4 Dell servers, acting as ESXi physical hosts. Each server will run several VMs. All of them are behind a pfSense firewall, there is no DMZ.

    1. We want to administer Dell physical servers via vSphere. Each server gets one external IP. We don't care about ICMP.
    • CARP or PARP? (Since I don't care about ping, I am willing to say PARP is fine).
    1. For VMs that are to be 1:1 NAT-ed: Some require ping, some don't.
    • CARP or PARP?
    • Or is it CARP if I want ping, PARP if I don't?
    • If CARP, each address must have its own VHID, right?
    1. For VMS that are not 1:1 NAT: Several VMs that belong to same LAN will be served by one external IP address. Depending on different port of that external IP, packets will travel to different VMs. These VMs require ping.
    • CARP or PARP?
    • If CARP, each address must have its own VHID, right?
    1. General CARP setup question: when you say that CARP IP must be the same subnet as the WAN, what you mean is that if our ISP gives us a subnet of /28 form, we should specify /28 (instead of /32) for CARP IP, right?
      On VHIDs: Two addresses should be part of same VHID only for fail-overs, correct? If I want some NAT forwarding and no fail-over, I should always use different VHID?

    2. Finally: we have a Layer 2+ switch (HP v1910). It supports VLAN routing. If we wanted to have 3-4 different LANs, what is the best way to offload this routing onto switch, instead of having it routed via pfSense?

    Thank you very much!

    • M


  • First of all:

    Do not forget to backup config on both boxes before and after config changes.

    Answers:
    1)2)3)If you have two boxes, use only carps for fail-over. Configure a full redundant firewall configuration.

    1. all ips on each interface(vlan or real) must be on same subnet too. The vhid must be unique for each virtual ip and it is used to check health between boxes on each interface(vlan or real) with carp enabled.

    2. If it is a layer2 switch, you will not be able to route between vlans. you will need a layer3 switch.
      Create vlans as much as you need at pfsense, vmware and switch.
      create carps on each interface for fail-over between firewalls.
      Set these virtual ips as gateways on each vlan/virtual machine.

    Considerations:
    Do not forget to configure a sync interface between boxes.

    After all carp settings done, use firewall rules do block/permit what you need(ping, www, ssh,etc).

    Read this if you want to setup a first level DOS prevention on your network.
    http://forum.pfsense.org/index.php?topic=38273.0


Locked