Using CARP with Proxy-ARP and 1:1 NAT



  • My apologies if this has been asked before, but I did not see it in the search archives.

    I've recently upgraded from a single edge firewall to a dual edge firewall using CARP and PFsync. All of this seems to be working fine so far.

    Generally speaking, we have a range of IP addresses assigned from the ISP. For public services (web servers, etc) I usually will assign a 1:1 NAT here and then utilize Proxy-ARP in order to provide NAT for the service.

    How would this work with a CARP and redundant firewall setup? I tried to assign the Proxy-ARP address to the CARP address, however this error is received:

    The following input errors were detected:

    For this type of VIP, a CARP parent is not allowed.

    Ideally, I would want the online, active firewall to respond to the ARP request for the internal server, translate the IP packet and then forward it along to the internal server. Is there any way to ensure this will happen? Will the secondary firewall respond to Proxy-Arp requests? If they both respond, I'm assuming whichever firewall responds last will win, due to the stateless nature of ARP packets.

    I guess worst case scenario we would have asymmetric routing, that isn't the end of the world. I can probably also accomplish this with port forwarding and manual outbound NAT.

    Thanks in advance for any advice anyone has.

    Josh



  • Okay, after doing a bit more searching it looks like in a redundant firewall setup you cannot use Proxy-ARP, for exactly the reason I was thinking, that you will both firewalls responding to the request thereby creating issues.

    It seems the solution is to create a CARP interface for each 1:1 NAT. Additionally, in 2.x you can create an IP Alias and tie that alias to the primary CARP interface. This is what I was trying to do with the Proxy-ARP configuration but couldn't.

    I'll give this setup a test and let everyone know if it works out.


Locked