Need some clarification on Virtual IPs and how they relate to rules.



  • Let's say I have the following virtual IPs:

    162.x.x.225/29	 (vhid 1)	 OUTSIDE 	carp	 OUTSIDE CARP IP (MGNT, OFFICE) 	
    162.x.x.226/29	 (vhid 2)	 OUTSIDE 	carp	 OUTSIDE CARP IP (TENANT) 	
    192.168.10.1/24	 (vhid 3)	 MGNT 	carp	 MGNT CARP IP 	
    192.168.20.1/24	 (vhid 4)	 OFFICE 	carp	 OFFICE CARP IP 	
    172.16.0.1/22	 (vhid 5)	 TENANT 	carp	 TENANT CARP IP
    

    The first two are WAN (OUTSIDE) IPs that I use for assigning different subnets different public IP addresses. My Office and Management Network utilize the .225 address while the tenant network utilizes the .226 network. I just make these translations using NAT. Works great.

    Now, here is where my confusing begins.

    Does the "MGNT Address" alias that can be selected for source/destination also include any virtual IPs? So lets say on my tenant ruleset I include a block, Tenant Address dest, port 80, 443, and 22 (to block access to the webgui and ssh), will this also block traffic that is destined for the tenant carp ip (172.16.0.1)? The Tenant Address on the left box is 172.16.0.2 and the right box is 172.16.0.3.


  • Rebel Alliance Developer Netgate

    The "XXXX address" macros only use the actual interface IP, not VIPs.