1:1 NAT and CARP or VIP?



  • I currently have two pfSense 2.0.3 boxes running CARP. Everything works great, but I noticed VIPs don't replicate over to the standby member. I'm thinking they need to be CARP IPs?

    Here is my situation, I have a /27 of public IPs from my co-lo provider. I use 1:1 NAT and I set each address up as a VIP on the primary firewall. (The WAN/LAN/DMZ addresses are CARP.)

    Should I just manually enter the VIPs onto the standby member or should I re-configure the VIPs on the primary member as CARP addresses?

    If I need to reconfigure as CARP, will it affect my existing 1:1 NAT mappings and/or firewall rules?

    Thanks!


  • Rebel Alliance Developer Netgate

    Is the /27 given to you just your WAN subnet?
    Or is your WAN subnet a separate subnet and the /27 routed to you?

    If the /27 is your WAN subnet, you will need to make all of those VIPs be CARP VIPs (or aliases using the CARP VIP as their interface).

    If the /27 is routed to you, then you don't need VIPs at all or you could use 'other' type VIPs or IP alias VIPs bound to localhost as their interface.

    Your 1:1 NAT entries shouldn't need to change at all.



  • @jimp:

    Is the /27 given to you just your WAN subnet?
    Or is your WAN subnet a separate subnet and the /27 routed to you?

    If the /27 is your WAN subnet, you will need to make all of those VIPs be CARP VIPs (or aliases using the CARP VIP as their interface).

    If the /27 is routed to you, then you don't need VIPs at all or you could use 'other' type VIPs or IP alias VIPs bound to localhost as their interface.

    Your 1:1 NAT entries shouldn't need to change at all.

    Hi Jim,

    I'm not sure I understand the distinction being being routed or not.

    Here is how we are set up:

    Let's say my /27 is 192.168.1.0/27.

    192.168.1.1 is a gateway provided by my co-lo facility. They also take .2, .3 for their devices. I have .4 configured as a CARP with the WAN being a parent. .4 and .5 are the static IP assignment on the WAN interface of each pfSense device. .1 is my WAN interface gateway.


  • Rebel Alliance Developer Netgate

    So it's your WAN subnet, and needs VIPs.



  • @jimp:

    So it's your WAN subnet, and needs VIPs.

    Can I just change the type from IP Alias to CARP and set the password/skew/vhid appropriately?


  • Rebel Alliance Developer Netgate

    Yes.



  • @jimp:

    Yes.

    Perfecto! Thanks Jim!


Log in to reply