Best way to add a large block of public IPs

Gob · Jan 12, 2012, 12:39 PM

Hi

I need to configure a pfSense box to replace an old firewall on one of our sites. They have a /29 and a /24 block of public IPs.
one of the /29 IPs is allocated to their WAN and I need to add the /24 (256 IP addresses) as virtual IPs to the firewall, primarily for forwarding port 80 to lots of web servers.

I tried to do this a few years ago using an early BETA of v2.0 but when I added the /24 range as a Proxy Arp network, only 8 IP addresses appeared in the NAT Destination selection list. This problem seems to have been resolved in the latest stable release but I wondered if there are any performance issues with using PArp over Carp or IP Alias?

Any comments welcomed.

Cheers
Gordon

marcelloc · Jan 12, 2012, 1:13 PM

I suggest you to configure all these ips using carp and also configure a second pfsense to get a full redundant firewall.

Gob · Jan 12, 2012, 1:18 PM

thanks for your reply Marcelloc
I understand your thinking, that if there are a lot of web servers then this should really be a redundant setup.
However the web servers are all development / staging boxes and HA isn't really a requirement for the public facing access.

So is there a benefit using CARP over PARP if we are not using redundant boxes?

marcelloc · Jan 12, 2012, 1:33 PM

This way you can use ip alias or Parp. Carp are most used for redundant setup

Gob · Jan 12, 2012, 1:37 PM

OK, thanks

With IP Alias, I would have to enter each IP manually so I guess ProxyARP is the simplest to go for.

cmb · Feb 1, 2012, 2:43 AM

Performance isn't relevant to VIPs. It's best to have the bigger subnet routed to an IP in your smaller subnet, but VIPs generally fine too, though that gives you less flexibility on using the second subnet.