Adding 250 Virtual IPs

robwalker

Hi,

We've recently moved to pfsense for all our new networks for our SAAS platform. It's working really well for us and gives us a lot more flexibility than the old Juniper SSG units we were using.

For a new environment that we have recently deployed, I need to add most of a /24 as virtual IPs. Looking at the various options, I think they'll have to be IP aliases. We're using CARP for failover, and I don't think the 'other' option will work as these IPs are accessible directly. not routed to a single WAN IP etc.

I've added a handful that we needed before the platform went live, but unfortunately it was rushed in to production because of a serious hardware failure in a legacy DC. My colleague has scripted the required XML as there appears to be no way to bulk add IP Aliases. Before we look at testing it and then finally adding the config, does anyone have any experience with this many IP Aliases? This is going to add around 250 addresses to the WAN interface. Would that be of any concern?

A reasonable number of them will be used in an outgoing NAT pool. I assume that should work OK? I can create an alias for the range and then use it in a NAT rule I believe.

Thanks!
Rob

robwalker

Anyone any thoughts on if ~250 IP Aliases are a good idea on one interface?

jimp

Have I seen it work? Yes
Is it a good idea? Not really.

Using IP Aliases with the CARP VIP as the parent may be viable but it's going to be a management nightmare.

It would be so much easier if the addresses you had to use were in a routed subnet and not all in one flat network on the WAN. Ship may have sailed on that since you had to rush it into production though.

Normally the ISP would give you a /29 or /28 on WAN (big enough for you to use CARP) and then route the larger subnet. You wouldn't even need VIPs if the subnet was routed to you.

robwalker

Hi,

Thanks for the reply. Yes it certainly would be a management nightmare! The only good thing being that things are very unlikely to change going forward. I shouldn't need to add or remove any more in the future.

Adding them as children of the WAN CARP interface is what I was planning. I definitely don't want that many CARP addresses.

Unfortunately we're limited by our hosting provider. They provide us with a really impressive network and we can use VLAN tags to seamlessly create up to 4000 LANs spanning their datacentres, but in this instance our only real option is to use the IP block directly.

Would you have any concerns from a stability or performance point of view? Or is it just the management nightmare you'd be concerned about?

jimp

Primary concern is that there will be a ton of unnecessary ARP happening with that many active addresses in a flat network. That and with that many addresses on an interface it may be somewhat fragile and prone to timing issues with configuration. Of course it may be fine in your case, luck of the draw depending on how things run on your gear.

Even if your ISP could carve up your /24 on the WAN into smaller chunks and route some of them that wouldn't eat up any more IP addresses but it would drastically reduce your complexity. For example they could carve it up into a /29 for your WAN and then route the remaining portion as additional smaller networks (a /25, plus a /26, and so on)… Seems odd that they'd be willing to work so well on other topics but not IP space.

robwalker

Thanks, I really appreciate your input. It sounds like it's not a great idea. I'll raise it with our provider, but I think we're pushing the boundaries of what they offer. They're a hosting/server provider who deal in bulk rather that bespoke, so anything that deviates from their standard setup is unlikely to be possible.

We may simply add a second pfsense instance to test out these extra IPs. The bulk of them are for one very specific use case which could be diverted through a separate pfsense VM without too much effort.

Thanks again!