Virtual IP and NAT 1:1

akertis

I would like to have a virtual ip setup that is a public ip. I have created it in the virtual ip page and created a 1:1 rule. But when I try to ping the address there is no reply. Is this a way for the firewall to respond to a public IP? Previously I used a firebox and it allowed me to create aliases for interfaces so it would respond to certain public ip addresses. Is this possible in pfsense?

GruensFroeschli

You can only ping CARP type VIP's
Also you need to create a firewall rule that allows this ping (ICMP).

heiko

And CARP IP´s works fine without a cluster

akertis

@GruensFroeschli:

You can only ping CARP type VIP's
Also you need to create a firewall rule that allows this ping (ICMP).

I'm not sure I totally understand how CARP works as far as the password part? Why is the password required and what does it match up with ? Where would the password be authenticated to/from ?

Thanks,

AJ

GruensFroeschli

Read up on wikipedia what CARP is.

Just set a dummy password.
It's not required for your needs.

akertis

OK I created a CARP entry but I still can't ping the address. Do I also need a NAT 1:1 entry? I have one but i'm really not sure if its needed or not. I have watched the firewall but i haven't seen any icmp requests denied. I have enabled ICMP on the wan connection.

Thanks,

AJ

Eugene

@GruensFroeschli:

Read up on wikipedia what CARP is.

Where can I read detailed CARP specifications (like here http://tools.ietf.org/html/rfc2281 for hsrp)?
Thanks.

GruensFroeschli

http://www.justfuckinggoogleit.com/search.pl?query=carp

–> @wikipedia:

http://www.openbsd.org/cgi-bin/man.cgi?query=carp&sektion=4

Eugene

No, you did not get my question.
I would like to read infromation like this:
@RFC:

5.1 Packet formats

The standby protocol runs on top of UDP, and uses port number 1985.
  Packets are sent to multicast address 224.0.0.2 with TTL 1.

Routers use their actual IP address as the source address for
  protocol packets, not the virtual IP address.  This is necessary so
  that the HSRP routers can identify each other.

The format of the data portion of the UDP datagram is:
                          1                  2                  3
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |  Version    |  Op Code    |    State    |  Hellotime  |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |  Holdtime    |  Priority    |    Group    |  Reserved    |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                      Authentication  Data                    |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                      Authentication  Data                    |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  |                      Virtual IP Address                      |
  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

dotdash

Actually, you didn't read the information suggested. From Wikipedia:
A reason cited for rejecting this request relates to the lack of a published standards specification for CARP. The OpenBSD implementation is the closest thing to a formal specification of the protocol.
Here is some additional information, if you are interested:
http://www.packetmischief.ca/openbsd/doc/carp.html