Need some clarification on Virtual IPs and how they relate to rules.

cmcdonald

Let's say I have the following virtual IPs:

162.x.x.225/29	 (vhid 1)	 OUTSIDE 	carp	 OUTSIDE CARP IP (MGNT, OFFICE) 	
162.x.x.226/29	 (vhid 2)	 OUTSIDE 	carp	 OUTSIDE CARP IP (TENANT) 	
192.168.10.1/24	 (vhid 3)	 MGNT 	carp	 MGNT CARP IP 	
192.168.20.1/24	 (vhid 4)	 OFFICE 	carp	 OFFICE CARP IP 	
172.16.0.1/22	 (vhid 5)	 TENANT 	carp	 TENANT CARP IP

The first two are WAN (OUTSIDE) IPs that I use for assigning different subnets different public IP addresses. My Office and Management Network utilize the .225 address while the tenant network utilizes the .226 network. I just make these translations using NAT. Works great.

Now, here is where my confusing begins.

Does the "MGNT Address" alias that can be selected for source/destination also include any virtual IPs? So lets say on my tenant ruleset I include a block, Tenant Address dest, port 80, 443, and 22 (to block access to the webgui and ssh), will this also block traffic that is destined for the tenant carp ip (172.16.0.1)? The Tenant Address on the left box is 172.16.0.2 and the right box is 172.16.0.3.

jimp

The "XXXX address" macros only use the actual interface IP, not VIPs.