Make assigned IPs from ISP pingable



  • Hi Guys - I am sorry if this is very stupid post with stupid questions.  I am learning.

    In my pfsense, I have been given 5 public IP addresses by the ISP. One of which I use for the pfsense. Two other I am using Virtual IP for 1:1 NAT on two different machines to do web-serving.

    So we have three IP address from which one would get a response to the PING.

    My ISP says that all the five IP addresses need to be pingable otherwise they will take non-pingable away from me because I am squatting (sp?).  Even though it may be hollow threat, I was thinking of creating more private IP on the other two machines and then create Virtual IP and map them to those private IP using 1:1 NAT and port 80.  At worst, it will show stock apache web page.

    I noticed many post here that appear to be suggesting that if we ignore the redundancy intent of CARP virtual IP, they can be fully and directly substitute Virtual IP's created using Proxy ARP.

    In other words, enter a <ignore>password, assign unique VHID to each public IP, leave ad frequency to 0 and go about creating a CARP Virtual IP in place of P-ARP Virtual IP.  After which use the Virtual "it-does-not-matter-what-kind" IP and create 1:1 NAT as normal.  Then go about creating firewall rules as normal.  And it will magically work?

    Another nice side effect of this is that all the five addresses have become ping-able even though two of them are pointing to blue-sky.

    I am thrilled like a kid with candy if this is the case.  Some great-guru's confirming will be very useful to faint-hearted people like me.

    Second question:  If this is really the case then why should we even have a proxy-arp feature in the pfsense?  Is there any pointer to when the Virtual IP with Proxy ARP could be used and not the CARP Virtual IP.

    Thanks for your help.</ignore>



  • IMO, your ISP is being unreasonable as many people use IPs without allowing them to be pingable. But, CARP addresses off your WAN will be pingable if you have the appropriate rules allowing ICMP, even if they are not 1-1's.
    As for proxy-arp, my thought is that CARP adds complexity, so I only use it when there is a good reason to.



  • @dotdash:

    IMO, your ISP is being unreasonable as many people use IPs without allowing them to be pingable. But, CARP addresses off your WAN will be pingable if you have the appropriate rules allowing ICMP, even if they are not 1-1's.
    As for proxy-arp, my thought is that CARP adds complexity, so I only use it when there is a good reason to.

    Thanks - This helps a lot.  I too thought that making IP ping-able should be my choice not theirs.

    On another note, do you have some pointers on why Virtual CARP IP would be more complex that Virtual ProxyARP IP's?
    Any pointers to this forum or Google would be very helpful.

    Much thanks.



  • @garg_art2002:

    On another note, do you have some pointers on why Virtual CARP IP would be more complex that Virtual ProxyARP IP's?

    Mostly just me being paranoid, but CARP adds some broadcasts and has the same protocol number as VRRP. While CARP will reject VRRP packets, it is within the realm of possibility to interfere with your providers VRRP setup. Deleting CARP VIPs requires a reboot, where Proxy-ARP does not. It probably adds a tiny tiny extra bit of cpu load to the box also. Oh, and there's the additional work of adding a password and keeping the VHID's unique. Ok, the last two are pretty weak…



  • @dotdash:

    @garg_art2002:

    On another note, do you have some pointers on why Virtual CARP IP would be more complex that Virtual ProxyARP IP's?

    Mostly just me being paranoid, but CARP adds some broadcasts and has the same protocol number as VRRP. While CARP will reject VRRP packets, it is within the realm of possibility to interfere with your providers VRRP setup. Deleting CARP VIPs requires a reboot, where Proxy-ARP does not. It probably adds a tiny tiny extra bit of cpu load to the box also. Oh, and there's the additional work of adding a password and keeping the VHID's unique. Ok, the last two are pretty weak…

    Thanks - This helps. Interference with providers' VRRP and reboot are serious (in that order) IMNO (in my newb opinon!).

    Best regards.


Log in to reply