On 09/03/15 11:23, Brian Candler wrote:
On 09/03/2015 10:10, Bryan D. wrote:
Nope, it's a fully functioning setup (has been, in this form, for a
few years) ... just wanted to switch off CARP VIPs since I'm not
using failover. The only question is why won't IP Alias VIPs replace
the CARP VIPs?
If these extra addresses belong on the firewall's outside (WAN)
subnet, then they need to respond to ARP. As far as I can see, both
Proxy ARP VIP and IP Alias VIP ought to work for this.
I have one firewall with a similar setup here (extra public IP for
inbound NAT), and it uses a Proxy ARP VIP. And I have another firewall
which is using an IP Alias VIP, in this case attached to a WAN-CARP
interface. Both are working.
As long as all these NAT rules are attached to "WAN" interface, and
your VIP is also attached to "WAN" interface, I can't see why it
wouldn't work. As others have said - changing the type while the
firewall is running might break things. Possibly deleting it and then
re-adding it would be better, but that's only a guess. If minimising
downtime is important then simulate the configuration in a virtual
environment first.
Regards,
Brian.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
A CARP address has it's own MAC. The IP alias shares the MAC of it's
parent interface.
If you change this while running, your upstream routers/switches will
have the wrong MAC address for your IP cached.
Sending a GARP might help with this.
Or simply wait for the caches to expire. (This "can" take a long time)
Best regards
Matthias
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold