I noticed that when creating a CARP virtual that it requires it to be attached to an interface with the same network. However when creating a proxy arp, it does not have this requirement. Wouldn't it be logical to allow them to have the same validation check? I am currently using proxy arp virtuals on a pair of failover pfSense 1.2.3 systems, so if firewall A fails I will need to manually create the Proxy ARP's on B. I know i can download the config.xml and modify the entries to perform as expected, and will once i get a chance to test it outside of business hours, however if Proxy ARP is allowed, I do not see the reason to deny this from CARP.
I have quite a few networks using fibre metro ethernet, and Embarq (formerly sprint) loves to provide transport networks, and public networks. Basically giving you 1.2.3.0/29 for transport (.1 is gateway, .2-.6 usable for firewalls etc.), then assigns you 6.5.4.0/27 for WAN/Public access (servers clients etc.). There is no gateway in 6.5.4.0/27, they just route all traffic to 1.2.3.1 (the transport gateway) and then let you answer for it when its sent into the metro switch your connected to. We used OpenBSD manually installed and configured previously, but were so impressed with pfSense compared to many other firewalls we decided to finally install it on all the custom firewalls configurations we had been using. Unfortunately many of them are redundant with LOTS of CARP failover IP's. It might be nice to put an Advanced option in for CARP that allows it to perform as P/ARP virtuals, so that people do not need to modify the XML for large quantities of vip carp interfaces. Thanks, Trevor Benson A1 Networks (707)570-2021 x201 [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
