Actually you cant use proxy arp as it has a limit affecting you. Proxyarp IPs cant be in same subnet. Sorry. Carp is what you want/need. As for your issue with not reaching the firewall when WAN is down is probably something else.
What you really want is a alias ip on the interface and pfsense does not support this even if the underlying freebsd does this. There was (is?) reasons for this but las time I tried to implement that was in 2006/2007 so I don't recall why we decided not to implement it. There where several reasons iirc. Brgds, Espen 9. mars 2015 11:34 skrev "Matthias May" <matth...@may.nu>: > On 09/03/15 11:23, Brian Candler wrote: > >> On 09/03/2015 10:10, Bryan D. wrote: >> >>> Nope, it's a fully functioning setup (has been, in this form, for a few >>> years) ... just wanted to switch off CARP VIPs since I'm not using >>> failover. The only question is why won't IP Alias VIPs replace the CARP >>> VIPs? >>> >> If these extra addresses belong on the firewall's outside (WAN) subnet, >> then they need to respond to ARP. As far as I can see, both Proxy ARP VIP >> and IP Alias VIP ought to work for this. >> >> I have one firewall with a similar setup here (extra public IP for >> inbound NAT), and it uses a Proxy ARP VIP. And I have another firewall >> which is using an IP Alias VIP, in this case attached to a WAN-CARP >> interface. Both are working. >> >> As long as all these NAT rules are attached to "WAN" interface, and your >> VIP is also attached to "WAN" interface, I can't see why it wouldn't work. >> As others have said - changing the type while the firewall is running might >> break things. Possibly deleting it and then re-adding it would be better, >> but that's only a guess. If minimising downtime is important then simulate >> the configuration in a virtual environment first. >> >> Regards, >> >> Brian. >> >> _______________________________________________ >> pfSense mailing list >> https://lists.pfsense.org/mailman/listinfo/list >> Support the project with Gold! https://pfsense.org/gold >> > A CARP address has it's own MAC. The IP alias shares the MAC of it's > parent interface. > If you change this while running, your upstream routers/switches will have > the wrong MAC address for your IP cached. > Sending a GARP might help with this. > Or simply wait for the caches to expire. (This "can" take a long time) > > Best regards > Matthias > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold >
_______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
