On 2015-Mar-09, at 2:43 AM, Chris L <[email protected]> wrote: >> On Mar 9, 2015, at 2:38 AM, Brian Candler <[email protected]> wrote: >> >> On 09/03/2015 09:33, Bryan D. wrote: >>> So, for what I'm doing, an IP Alias VIP seems like it should work where a >>> CARP VIP works -- but it doesn't appear that a Proxy ARP VIP should, since >>> I think I'm using them by the "firewall itself" (i.e., port forwarding and >>> NATing) ... no -- or does that mean something different? >>> >> As I understand it, "used by the firewall itself" means traffic which >> terminates *on* the firewall: for example, the firewall admin web page, and >> any services which run on the firewall itself (e.g. DNS cache, packages you >> have installed) >> >> Traffic which is forwarded *through* the firewall, including NAT, is not >> addressed to the firewall itself. > > OpenVPN, IPSec, etc. If there is a socket listening on pfSense, that is the > “firewall itself.” Or “bind” in the doc. > > This isn’t that complicated. What, exactly, is OP trying to do?
Yeah, that's what I thought. It's explained in the initial posting ... --- I have a functioning v2.2 setup that uses a /29 set of static IPs: - 1 IP is the gateway address and 5 IPs are "usable" (quite common, I believe) - one of the "usable" IPs is assigned to the WAN interface - the other 4 "usable" IPs are assigned to VIPs - the WAN IP and VIPs have various port-forward and NAT rules associated with them - the WAN IP and 2 of the VIPs serve 3 different domains (e.g., web, email, VPN -- servers are behind the firewall on isolated LAN) - one of the other VIPs is used by mobile VPNs (IPsec and OpenVPN) --- Works well with CARP VIPs, switching a VIP to Alias IP renders the services inaccessible -- services that are made available simply by switching the VIP back to CARP. I'm not using any failover/etc. so I'd like to simplify and though Alias IP VIPs were the right choice. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
