Help with FTP - easy to change to CARP VIPs?

  • I am trying to get passive FTP working for external clients to my internal servers.  These servers are setup with 1:1 NAT on virtual IPs.  I'm running pfSense 1.2.

    I created a rule to allow port 21 traffic inbound.  That got FTP working, but only on not-passive mode.  After doing some googling, I enabled the FTP helper, which didn't work.  A little more googling told me it was because all my VIPs are ProxyArp IPs.  If I change those to CARP IPs, it should work?

    I don't really understand what the difference is between a ProxyARP and CARP virtual IPs, but if I just go through all of them and change them, are there any side effects?  Will everything else continue to work as before?


  • I shouldn't be a big deal to switch the VIP to CARP. I suggest Wikipedia to research Proxy ARP and CARP. CARP is normally used for failover setups, but you can use it on a stand-alone box. There are possible issues if you are running VRRP on the same network, but that would usually only be if you were in a data center, or an enterprise environment.

  • I read the wikipedia articles, but I can't say that they were helpful.

    So why isn't CARP the default VIP type?  Why would anyone ever use Proxy ARP type VIPs when some things (like the ftp helper) don't work with them? (Assuming they aren't running VRRP in a data center/enterprise environment)

    When I first put my pfSense box into place, my servers were unaccessible for several hours as I tried to troubleshoot what went wrong.  Switching back to the old firewall didn't help either.  I finally got it fixed by calling my ISP and having them clear their ARP cache on their cisco router that they have on site here.  I'm really worried about screwing something up again if I change my virtual IPs to CARP.

  • Anyone have more input?

  • IMO, CARP adds complexity and should be used when you need it and understand it. Proxy-ARP is simpler and mostly harmless.
    PS- Don't tell anyone I said so, but the easiest way to clear the ARP cache of a provider's router involves the power switch.

  • dotdash, could you elaborate a little?  Do you think I'd have any problems if I switched all my virtual IPs from ProxyARP to CARP?  Might this affect the ARP routing at all?

  • With proxy-ARP, the firewall will respond to the ARP request with it's MAC address. CARP uses a bogus MAC, so you could have an issue with the upstream ARP cache. If it were me, I'd cycle the providers Cisco- but I have been known to be impetuous.

  • Excellent, this is exactly the info I was looking for, thank you.

  • So I went to go do this, and received an error: "You must specify a CARP password that is shared between the two VHID members."

    First of all, there is no CARP password field on the page.  There is a "virtual ip password".  Is that what its talking about?  And what is this password used for?

    Can someone shed some light on this?

  • The CARP password is the 'virtual ip password'. It is used to secure the CARP traffic between cluster members. You don't care about this, so just enter anything and save it.

  • Thanks.  What about the drop down after the IP address?  Everwhere else in pfSense this has been a CIDR number.  Here is specifically says its not - that instead its the network netmask.

    So my WAN IP uses a CIDR number of 26 (because its netmask is  This virtual IP is coming from that same network.  So would I use /26 again?  Or /32 to indicate that this is just a single virtual IP?

  • You use the actual netmask of the WAN. So in your case, /26.

  • Thank you, I've changed the IP type, and everthing still seems to be ok - I can still access the website.

    Unfortunately passive ftp is still not working.  I have port 21 open in the firewall (active FTP is working), and I've left the "Disable the userland FTP-Proxy application" box on the WAN screen unchecked.  Is there anything else I need to do?

  • In case this helps anyone - I did not have any issues going from ProxyARP to Carp type of virtual IPs.

    But when I switched back (because I never could get the FTP helper to work), the Cisco router did NOT pick up on the new MAC address, and traffic wasn't being routed properly.  I had to call my ISP and have them clear their ARP cache for that particular IP.

Log in to reply