1:1 NAT and CARP or VIP?
-
I currently have two pfSense 2.0.3 boxes running CARP. Everything works great, but I noticed VIPs don't replicate over to the standby member. I'm thinking they need to be CARP IPs?
Here is my situation, I have a /27 of public IPs from my co-lo provider. I use 1:1 NAT and I set each address up as a VIP on the primary firewall. (The WAN/LAN/DMZ addresses are CARP.)
Should I just manually enter the VIPs onto the standby member or should I re-configure the VIPs on the primary member as CARP addresses?
If I need to reconfigure as CARP, will it affect my existing 1:1 NAT mappings and/or firewall rules?
Thanks!
-
Is the /27 given to you just your WAN subnet?
Or is your WAN subnet a separate subnet and the /27 routed to you?If the /27 is your WAN subnet, you will need to make all of those VIPs be CARP VIPs (or aliases using the CARP VIP as their interface).
If the /27 is routed to you, then you don't need VIPs at all or you could use 'other' type VIPs or IP alias VIPs bound to localhost as their interface.
Your 1:1 NAT entries shouldn't need to change at all.
-
Is the /27 given to you just your WAN subnet?
Or is your WAN subnet a separate subnet and the /27 routed to you?If the /27 is your WAN subnet, you will need to make all of those VIPs be CARP VIPs (or aliases using the CARP VIP as their interface).
If the /27 is routed to you, then you don't need VIPs at all or you could use 'other' type VIPs or IP alias VIPs bound to localhost as their interface.
Your 1:1 NAT entries shouldn't need to change at all.
Hi Jim,
I'm not sure I understand the distinction being being routed or not.
Here is how we are set up:
Let's say my /27 is 192.168.1.0/27.
192.168.1.1 is a gateway provided by my co-lo facility. They also take .2, .3 for their devices. I have .4 configured as a CARP with the WAN being a parent. .4 and .5 are the static IP assignment on the WAN interface of each pfSense device. .1 is my WAN interface gateway.
-
So it's your WAN subnet, and needs VIPs.
-
So it's your WAN subnet, and needs VIPs.
Can I just change the type from IP Alias to CARP and set the password/skew/vhid appropriately?
-
Yes.
-
