VIP stacking methodology
-
I just wanted some verification on whether or not I'm thinking about this the right way.
I have a service provider that currently uses a /30 between us and them, and routes 3 /27 networks to us for handling. If I want to use pfSense with CARP on WAN I need to get that range switched to a /29 so I have enough IP addresses to set up and use for CARP.
What I'm doing now is configuring an AliasIP on each node, in each of the /27 networks.
Then I'm adding a CARP address in that range.
Then I'm adding IP Alias addresses on top of that carp instance to fill out the rest of the range.Has anyone done this and can you verify functionality?
-
If the blocks are routed to your CARP VIP in your interconnect, then you don't need to add them as VIPs at all on the WAN if you intend to use them for NAT.
You only need CARP VIPs in that case if the firewall needs to bind to the IPs for things like OpenVPN, IPsec, packages, etc.
If you really do need CARP VIPs in multiple subnets, then yes what you describe should work.
-
Testing this now. You've just shed a huge light on things for me jimp!
-
I forgot to mention: If you want to use those IPs for outbound NAT or port forwards, you can simply add them as "other" type VIPs.
And on 2.1 you don't even need CARP VIPs for the cases where binding is needed. You can setup IP aliases on localhost to use routed IPs for binding services.
-
I am using 2.1 , test results show 1:1 NAT working perfectly without a VIP configured for the WAN IP used in the translation rule. I assume adding an "other" VIP just makes it show up in the drop down lists for selection when creating rules within the UI?
I didn't realize that I could create an Alias on top of the CARP address using a subnet other than the one on the interconnect. The help page on VIPs says:
Subnet mask should match the interface IP, or be /32. Matching the interface subnet is advised. For IPs in different subnets at least one IP alias VIP must have the correct mask for the new subnet.
I'm assuming this means that if I'm using a single Alias, that I have to make it /27 for it to work as expected but if I create others within that range they need to be /32 because the subnet on the CARP interface will be /29?
Thanks again!
-
I understand a little more now, setting up the Alias on Localhost claims the address for use.
If I want to run OpenVPN on the edge and have the changes sync across nodes I assume I'll have to use what I described in my last post though right? OR, can I define the same Alias on both nodes on localhost manually to get the same effect? I'd rather the config was handled entirely in pfsync.
-
Yes, other VIPs just add entries in drop-down lists. They don't actually "do" anything on the network.
You can do IP alias on CARP if they're in the same subnet.
The combination you describe is a bit different:
Subnet A
Interface IP in Subnet A on Primary, Interface IP in Subnet A on Secondary, CARP VIP in Subnet ASubnet B
IP Alias in Subnet B on Primary, IP Alias in Subnet B on Secondary, CARP VIP IP in Subnet BThe "stacking" happens like so:
CARP VIP #1 in Subnet A
IP Alias #1 on CARP VIP #1 in Subnet A
IP Alias #2 on CARP VIP #1 in Subnet A
IP Alias #3 on CARP VIP #1 in Subnet A
…The stacking lets you avoid having a bunch of VHIDs in use and thus a bunch of multicast CARP heartbeats. They will also fail as one instead of each doing their own checks.
For openvpn, an IP alias on localhost in one of those subnets will work fine (on 2.1) on 2.0.x there isn't a way to express that in the GUI but IIRC if you make the change manually in the config it does work.
Or just use the CARP VIP in your interconnect subnet for OpenVPN and don't worry about any of that.
-
Binding the Alias to localhost worked a treat. I read that you shouldn't bind it to the WAN interfaces because it'll cause an IP conflict, I also noticed that Aliases bound on those interfaces don't sync over XMLRPC. However, an Alias bound to localhost synchronizes as expected.
Thanks again for all your help. This NAT/Other VIP stuff is much quicker to configure.
