> On Mar 9, 2015, at 3:01 AM, Bryan D. <pfse...@derman.com> wrote: > > On 2015-Mar-09, at 2:43 AM, Chris L <c...@viptalk.net> wrote: > >>> On Mar 9, 2015, at 2:38 AM, Brian Candler <b.cand...@pobox.com> wrote: >>> >>> On 09/03/2015 09:33, Bryan D. wrote: >>>> So, for what I'm doing, an IP Alias VIP seems like it should work where a >>>> CARP VIP works -- but it doesn't appear that a Proxy ARP VIP should, since >>>> I think I'm using them by the "firewall itself" (i.e., port forwarding and >>>> NATing) ... no -- or does that mean something different? >>>> >>> As I understand it, "used by the firewall itself" means traffic which >>> terminates *on* the firewall: for example, the firewall admin web page, and >>> any services which run on the firewall itself (e.g. DNS cache, packages you >>> have installed) >>> >>> Traffic which is forwarded *through* the firewall, including NAT, is not >>> addressed to the firewall itself. >> >> OpenVPN, IPSec, etc. If there is a socket listening on pfSense, that is the >> “firewall itself.” Or “bind” in the doc. >> >> This isn’t that complicated. What, exactly, is OP trying to do? > > Yeah, that's what I thought. It's explained in the initial posting ... > --- > I have a functioning v2.2 setup that uses a /29 set of static IPs: > - 1 IP is the gateway address and 5 IPs are "usable" (quite common, I believe) > - one of the "usable" IPs is assigned to the WAN interface > - the other 4 "usable" IPs are assigned to VIPs > - the WAN IP and VIPs have various port-forward and NAT rules associated with > them > - the WAN IP and 2 of the VIPs serve 3 different domains > (e.g., web, email, VPN -- servers are behind the firewall on isolated LAN) > - one of the other VIPs is used by mobile VPNs (IPsec and OpenVPN) > --- > > Works well with CARP VIPs, switching a VIP to Alias IP renders the services > inaccessible -- services that are made available simply by switching the VIP > back to CARP. I'm not using any failover/etc. so I'd like to simplify and > though Alias IP VIPs were the right choice.
Yeah, depending on the service if you change the VIP type you probably have to rebind and restart the service. It is probably not a hitless event. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
