Академический Документы
Профессиональный Документы
Культура Документы
Virtual IPs add knowledge of additional IP addresses to the firewall that are different from
the firewall's actual "real" interface addresses. Most often, these are used for NAT, but they
can also be used for other functions such as clustering, binding services such as DNS, load
balancing in packages, and so on.
Below is a table representing the major features of each type of VIP. More detailed
explanations are located in the section after the table.
Contents
[hide]
In Subne
VIP Versio NA Bindin ARP/L Clusterin ICM Single/Rang
Subne t
Type n T g 2 g P e
t Mask
CAR 2.2+
1.x+ Yes Yes Yes Yes Yes Yes Single
P (3)
Proxy No
1.x+ Yes No Yes No No n/a Either
ARP (1)
No
Other 1.x+ Yes No No Yes (2) No n/a Either
(1)
IP See
2.0+ Yes Yes Yes See Notes No Yes Single
Alias Notes
1: ICMP Column represents responses from the firewall itself without NAT. With 1:1
NAT, any VIP will pass ICMP through to the target device. On 2.1+ ICMP can also
be used as a protocol in port forward entries.
2: "Other" type VIPs are for routed subnets, and CARP is irrelevant, so they work
(See below)
3: CARP type VIPs must be in the same subnet as other interface VIPs on pfSense
<=2.1.x, on >= 2.2 they may be in other subnets, but see below for caveats.
Implications
Some upstream equipment requires each distinct IP address to have a unique
MAC address. In such cases, the use of CARP VIP types may allow the
additional addresses to function where they otherwise would not work with IP
alias or Proxy ARP VIPs. This has been common to see in the past with AT&T
Uverse equipment.
The MAC address of a VIP will change if the VIP entry is changed between a
type that has a unique MAC address, such as CARP, to one that shares a
MAC address with a parent interface, such as IP alias or Proxy ARP. Due to
the MAC address change, other equipment on the segment may need to have
its ARP cache cleared, it may need to be rebooted (cable modems especially),
or there may be some other time period that must expire for the ARP cache to
update. This may be as few as a couple minutes or up to four hours.
If a particular configuration does not work with IP alias or Proxy ARP type
VIPs, try with a CARP VIP instead, or vice versa. Address or wait out the
potential ARP concerns before declaring one particular type a failure, and
always be on the lookout for IP conflicts.