IP Alias on "localhost interface" vs "carp interface"
-
Hi,
I have two questions regarding vip aliases, and I will give you a scenario:
I have two firewalls both running pfsense 2.1.3, configured as a primary and secondary CARP pair.
We have a /28 network for our wan ip addresses. Three are dedicated to my upstream provider's implementation of VRRP. Another three are dedicated to my implementation of carp. Both CARP and the upstream VRRP work very well together, thanks to a number answers you guys helped me with earlier.
The remaining 8 ip addresses are assigned as ip aliases and are tied to internal hosts using 1:1 nat. I ran into the difficulty where the ip aliases did not propagate via pfsync: I solved it by assigning them to "localhost" and this leads me to my question:
-
what is the difference between binding the alias to the 'localhost' interface versus the wan carp interface? Why would I choose one or the other?
-
what type of problem is resolved by being able to bind a wan ip alias to a different interface? For instance, I COULD create an ip alias with an additional wan ip, and bind it to my LAN port: but what does that get me?
Is the word "localhost" possibly a misnomer? Is it more a generic word use like "any of the interfaces listed"?
Thank you for your time!
โjason
-
-
- what is the difference between binding the alias to the 'localhost' interface versus the wan carp interface? Why would I choose one or the other?
IP Alias on localhost is for binding services on IPs inside a routed subnet โ that is, a subnet routed entirely to your firewall (cluster).
The differences are:
- IP Aliases on an interface would be an IP conflict if they existed on two separate firewalls at once, which is why CARP VIPs are required. These do not sync as it would create an IP conflict.
- IP Aliases using an interface of an existing CARP VIP (in the same subnet as the CARP VIP) are OK, and they do sync, because only one of the nodes can use them at a time
- IP Aliases on localhost are only useful for binding services on the firewall to an IP address inside a routed subnet, and should not be used if the IP addresses are in your WAN or any other interface subnet.
- what type of problem is resolved by being able to bind a wan ip alias to a different interface? For instance, I COULD create an ip alias with an additional wan ip, and bind it to my LAN port: but what does that get me?
Nothing useful in that example. You do not want to assign IP addresses from the same subnet to multiple interfaces.
Is the word "localhost" possibly a misnomer? Is it more a generic word use like "any of the interfaces listed"?
No, it means exactly what it says. The IP Aliases are placed on the localhost interface (lo0).
If the IP addresses you're using are all inside the WAN subnet, then using CARP VIPs or Alias-on-CARP VIPs is best. In a clustered environment you cannot use Alias-on-WAN or Proxy ARP type VIPs on WAN as it will create an IP conflict. If the additional IP addresses are in a separate subnet routed to you, then you do not need any VIPs for 1:1 NAT to function.
If the IP addresses you have are truly in the WAN subnet and they still work when you bind the IPs to localhost, then it's a fluke, the upstream router probably has a cached ARP entry that is pointing them to the primary firewall or CARP VIP MAC. I wouldn't expect that to keep working indefinitely.