Questions about VIPs and NAT in Failover Setups
-
Hello,
Hopefully these are simple questions.
-
Do 1:1 NAT rules automatically failover? If not what do I have to do to allow this.
-
I have noticed that if I setup a 1:1 NAT for an IP in the same netblock as the IP on the interface, it does not work unless I add the IP as a VIP. e.g. My WAN IP is 111.111.111.3/29, the ISP gateway IP is 111.111.111.1, the CARP IP is 111.111.111.2 and I have a 1:1 NAT setup using 111.111.111.5.
2a) When a VIP is created for an IP that is also used for 1:1 NAT, should that VIP be created a certain way? e.g. Bind them to the CARP IP.
2b) However, 1:1 NATs for IPs on a routed subnet work with the need for VIPs. If I do not have VIPs created for these 1:1 NATs will they failover?
- I have not been in a situation where I found the need to use Proxy ARP and based on the descriptions I have read, I do not really understand how it works for pfSense. Does anyone some good sources that explain its use and specifically with pfSense. Maybe a tutorial where I could setup a something to test a Proxy ARP setup.
Actually, my real question about Proxy ARP follows. Is Proxy ARP not an option in failover setups? Or is it that Proxy ARP can exists, but it will not failover between the firewalls? Then again it looks like 2.1 allows you to attach a Proxy ARP to a CARP VIP, but I have not actually tried to save that config to know if pfSense generates an error of creating a Proxy ARP like this breaks anything or maybe the PARP just doesn't work.
Thank you!
-
-
1- Provided they are used with a CARP VIP or subnets routed to a CARP VIP, yes
2a- Yes, CARP VIP or IP alias w/CARP VIP as its interface
2b- Yes, provided your routed subnet is routed via your CARP VIP
3- Proxy ARP won't work with failover, it would cause an IP conflict. All it does is listen for ARP requests for the IPs it is given and answer with the firewall's MAC on the appropriate interface. That's really all there is to it. See here for more info.