Discussion:
[pfSense] IP Alias -vs- Proxy ARP for NAT
Tim Hogan
2015-03-08 12:48:27 UTC
Permalink
I am setting up my firewall to do 1:1 NAT with a block of public IP
addresses. I have found several posts about setting up 1:1 NAT and some
of them say to use Proxy ARP when creating the Virtual IP and others say
to use IP Alias. Can someone full explain the difference between the
two and offer an opinion as to which would be better to use?

Regards
PiBa
2015-03-08 13:42:24 UTC
Permalink
Says it all: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
Which is better, that depends on what you need it to do.
Post by Tim Hogan
I am setting up my firewall to do 1:1 NAT with a block of public IP
addresses. I have found several posts about setting up 1:1 NAT and
some of them say to use Proxy ARP when creating the Virtual IP and
others say to use IP Alias. Can someone full explain the difference
between the two and offer an opinion as to which would be better to use?
Regards
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Tim Hogan
2015-03-08 15:18:27 UTC
Permalink
I have seen that page and I don't know about "saying it all". I still
cannot figure out what the advantages and disadvantages are. All I want
is to be able to do a 1:1 NAT with some public IP addresses. These
addresses do not need to be used by the firewall directly. So in this
case it would sound like using Proxy ARP would be the best choice. But
are there any disadvantages? What about performance?

Regards.
Post by PiBa
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
Which is better, that depends on what you need it to do.
Post by Tim Hogan
I am setting up my firewall to do 1:1 NAT with a block of public IP
addresses. I have found several posts about setting up 1:1 NAT and
some of them say to use Proxy ARP when creating the Virtual IP and
others say to use IP Alias. Can someone full explain the difference
between the two and offer an opinion as to which would be better to use?
Regards
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Espen Johansen
2015-03-09 12:08:45 UTC
Permalink
Use IP alias if you are on 2.0+
If you need redundancy (2xpfsense) use carp. All the other options are poor
workarounds created when pfsense did not support true interface alias.

Brgds, Espen
Post by Tim Hogan
I have seen that page and I don't know about "saying it all". I still
cannot figure out what the advantages and disadvantages are. All I want is
to be able to do a 1:1 NAT with some public IP addresses. These addresses
do not need to be used by the firewall directly. So in this case it would
sound like using Proxy ARP would be the best choice. But are there any
disadvantages? What about performance?
Regards.
Post by PiBa
Says it all: https://doc.pfsense.org/index.php/What_are_Virtual_IP_
Addresses
Which is better, that depends on what you need it to do.
Post by Tim Hogan
I am setting up my firewall to do 1:1 NAT with a block of public IP
addresses. I have found several posts about setting up 1:1 NAT and some of
them say to use Proxy ARP when creating the Virtual IP and others say to
use IP Alias. Can someone full explain the difference between the two and
offer an opinion as to which would be better to use?
Regards
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Paul Mather
2015-03-09 15:13:39 UTC
Permalink
Post by Espen Johansen
Use IP alias if you are on 2.0+
If you need redundancy (2xpfsense) use carp. All the other options are poor workarounds created when pfsense did not support true interface alias.
I usually use Proxy ARP for 1:1 NAT virtual IP aliases. That way, an IP address isn't assigned to an interface on the pfSense firewall itself. If you are using packages or services on the pfSense firewall that bind to all addresses ("0.0.0.0") then these will bind to your 1:1 NAT public addresses, too. With Proxy ARP, there's no IP address to bind to.

IP Aliases are fine, but I find Proxy ARP fine for 1:1 NAT.

Cheers,

Paul.
Post by Espen Johansen
Brgds, Espen
I have seen that page and I don't know about "saying it all". I still cannot figure out what the advantages and disadvantages are. All I want is to be able to do a 1:1 NAT with some public IP addresses. These addresses do not need to be used by the firewall directly. So in this case it would sound like using Proxy ARP would be the best choice. But are there any disadvantages? What about performance?
Regards.
Says it all: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
Which is better, that depends on what you need it to do.
I am setting up my firewall to do 1:1 NAT with a block of public IP addresses. I have found several posts about setting up 1:1 NAT and some of them say to use Proxy ARP when creating the Virtual IP and others say to use IP Alias. Can someone full explain the difference between the two and offer an opinion as to which would be better to use?
Regards
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
Chris Buechler
2015-03-11 08:10:14 UTC
Permalink
Post by Espen Johansen
All the other options are poor
workarounds created when pfsense did not support true interface alias.
Nothing about any of them are "poor workarounds", there is a use for
every option that's there. The bullet list on this page describes why
each:
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

CARP - HA
IP alias - need to bind to firewall, don't want/need CARP
proxy ARP - answer ARP only, can't bind local services
Other - no L2 at all, simply a placeholder for the GUI.

Loading...