2 VIPs to 1 NAT or "How do I re-ip with no downtime"


  • Hello,

    I have a pfSense firewall with 3 VIPs (non-RFC1918 space) and NAT 1:1 pointing to 3 * 192.168.x IPs on the backend.

    I need to renumber/re-ip the 3 VIP IPs and have no downtime.    Both sets of VIPs would be live at the same time and point to the same backend IPs (192.168.x).

    The old VIP IPs and the new VIP IPs are on the same VLAN.    Routing is not a concern as the existing default route will handle all of the traffic of VIPs.

    All 6 IPs (3 old VIP ips + 3 VIP ips) are configured on pfSense, but when I try to create a 1:1 NAT mapping using the new VIPs (while also leaving old VIPs in place) - it does not work.    pfSense will not allow traffic to pass to the same backend machine over two different VIPs.    If I disable one VIP (either new IP or old IP)…  traffic passes.

    Any recommendations on how to renumber VIPs with no downtime?


  • I was faced with a similar problem some while back when performing a firewall migration from one ISP to another. You can amend this suggestion to suit your particular scenario if you like.

    I had to maintain two IPs simultaenously to  point to the same web servers internally while I waited for external DNS changes to propagate. I set up a load balancer within the DMZ, using the 'ZenLoadBalancer', a linux-based freebie LB which is very easy to use. I set the route from the load balancer to the internet via the new firewall, leaving the old firewall and old route running on the web server. I set up a forward from the load balancer to the web server (the load balancer and web server were in the same DMZ so routing between them wasn't an issue) to send all port 80/443 traffic to the backend server. The new firewall port-forwarded to the load balancer which in turn handled the outbound traffic from the web server through the new firewall. So now I had two external IPs both forwarding http requests to the same backend server - one directly from the old IP and the other via the load-balancer from the new IP. I then made my external DNS changes and once they finished propagating I switched off the old firewall. In my own case I left the load balancer in place for maintenance purposes, but changing the default gateway for the web server and then re-targeting the port forward on the firewall would be quick and result in little more than just a few seconds of 'down time' in the event I'd chosen to do it.

    In your case, you could point your new VIPs to a load balancer internally and forward the traffic from there to your backend server, so your 1:1 NAT is done for separate machines for the duration of the changeover. If you have a virtual environment, setting up a load balancer using HAProxy or Zen shouldn't take up much resource or time.

    It's one way to skin a cat, in any case.

  • Rebel Alliance Developer Netgate

    Port forwards override 1:1 NAT, so you can play a bit of a trick. Keep the 1:1 NATs in place, even though the second entries are non-functional. Add port forwards for the inbound traffic on the new VIPs, those will work fine.

    When the time comes, remove the old 1:1 NAT and port forwards and things should keep working fine.