Help with FTP - easy to change to CARP VIPs?
-
Anyone have more input?
-
IMO, CARP adds complexity and should be used when you need it and understand it. Proxy-ARP is simpler and mostly harmless.
PS- Don't tell anyone I said so, but the easiest way to clear the ARP cache of a provider's router involves the power switch. -
dotdash, could you elaborate a little? Do you think I'd have any problems if I switched all my virtual IPs from ProxyARP to CARP? Might this affect the ARP routing at all?
-
With proxy-ARP, the firewall will respond to the ARP request with it's MAC address. CARP uses a bogus MAC, so you could have an issue with the upstream ARP cache. If it were me, I'd cycle the providers Cisco- but I have been known to be impetuous.
-
Excellent, this is exactly the info I was looking for, thank you.
-
So I went to go do this, and received an error: "You must specify a CARP password that is shared between the two VHID members."
First of all, there is no CARP password field on the page. There is a "virtual ip password". Is that what its talking about? And what is this password used for?
Can someone shed some light on this?
-
The CARP password is the 'virtual ip password'. It is used to secure the CARP traffic between cluster members. You don't care about this, so just enter anything and save it.
-
Thanks. What about the drop down after the IP address? Everwhere else in pfSense this has been a CIDR number. Here is specifically says its not - that instead its the network netmask.
So my WAN IP uses a CIDR number of 26 (because its netmask is 255.255.255.192). This virtual IP is coming from that same network. So would I use /26 again? Or /32 to indicate that this is just a single virtual IP?
-
You use the actual netmask of the WAN. So in your case, /26.
-
Thank you, I've changed the IP type, and everthing still seems to be ok - I can still access the website.
Unfortunately passive ftp is still not working. I have port 21 open in the firewall (active FTP is working), and I've left the "Disable the userland FTP-Proxy application" box on the WAN screen unchecked. Is there anything else I need to do?
-
In case this helps anyone - I did not have any issues going from ProxyARP to Carp type of virtual IPs.
But when I switched back (because I never could get the FTP helper to work), the Cisco router did NOT pick up on the new MAC address, and traffic wasn't being routed properly. I had to call my ISP and have them clear their ARP cache for that particular IP.