Discussion:
[pfSense] Virtual IPs: Carp or proxy arp?
Ugo Bellavance
2012-03-21 23:42:42 UTC
Permalink
Hi,

I was re-reading a book to help my pfsense implementation and in the
section about VIPs, it says that some people rather use CARP VIPs
instead of proxy arp because of some reasons.

Then, looking at
http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

I see that IP aliases are new in 2.0.

Here is my desired setup:

- Our ISP will provide a /28 (16 IP addresses) and we may need more in
the futre
- We plan to do NAT to expose our public servers (mostly port forward)
- We don't have an FTP server to expose, but it may be necessary in the
future.
- I'm planning on setting the pfSense on a VMWare infrastructure, but we
may eventually need to make a CARP setup in the future

What should I use for my public IP addresses?

Thanks,

Ugo
Adam Thompson
2012-03-22 01:22:22 UTC
Permalink
Based on that very high-level summary:
-assuming the /28 isn't a true routed /28,
-set pfSense's WAN IP to the first IP in the range (or reserve the first three if using CARP for HA)
-set all remaining IPs as CARP-type aliases, and implement inbound NAT a necessary (maybe including 1:1 for the FTP server)


-Adam
Post by Ugo Bellavance
Hi,
I was re-reading a book to help my pfsense implementation and in the
section about VIPs, it says that some people rather use CARP VIPs
instead of proxy arp because of some reasons.
Then, looking at
http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F
I see that IP aliases are new in 2.0.
- Our ISP will provide a /28 (16 IP addresses) and we may need more in
the futre
- We plan to do NAT to expose our public servers (mostly port forward)
- We don't have an FTP server to expose, but it may be necessary in the
future.
- I'm planning on setting the pfSense on a VMWare infrastructure, but we
may eventually need to make a CARP setup in the future
What should I use for my public IP addresses?
Thanks,
Ugo
_______________________________________________
List mailing list
http://lists.
Ugo Bellavance
2012-03-22 11:38:12 UTC
Permalink
Post by Adam Thompson
-assuming the /28 isn't a true routed /28,
I would have to ask my ISP to get the answer?

What is a true routed subnet? It means that every IP address in the
subnet is availabie in a switch in which you connect your ISP's network
cable or is it that you must use a firewall or router of your own to
address those IPs?
Post by Adam Thompson
-set pfSense's WAN IP to the first IP in the range (or reserve the first three if using CARP for HA)
I already planned/reserved 3 IPs in all of my subnets, and with the ISP.
Post by Adam Thompson
-set all remaining IPs as CARP-type aliases, and implement inbound NAT a necessary (maybe including 1:1 for the FTP server)
Ok, but are there drawbacks compared to an alias VIP?

Thanks,

Ugo
Adam Thompson
2012-03-22 12:32:34 UTC
Permalink
Post by Ugo Bellavance
Post by Adam Thompson
-assuming the /28 isn't a true routed /28,
I would have to ask my ISP to get the answer?
What is a true routed subnet? It means that every IP address in the
subnet is availabie in a switch in which you connect your ISP's
network cable or is it that you must use a firewall or router of
your own to address those IPs?
I knew you were going to ask that :-). By my definition, a routed subnet
is one where you control a router that has (at least) two interfaces, the
entire /28 is bound to one of them, and the other interface has an IP
address that is *outside* the subnet.

In other words, the ISP delegates the entire subnet to you, and tells you
what (static) IP address they expect to reach you *through*. Delegations
in this traditional style are becoming increasingly rare, because with
advances in OSS software and hardware, it has become very easy for them to
allocate you chunks of IP space directly (without needing a router).
Also, the average consumer connecting to the internet actually *prefers* a
bunch of IPs they can use directly without having to set up a router.
When you *have* a router, however, it adds complications like 1:1 NAT.

I haven't seen any ISP delegate anything smaller than a /24 for quite a
few years now. It does make the ISP's routing more complex when they
delegate (routing table size increases, and someone has to provision
either static routes or BGP peering), so many avoid doing so at all.
Based on my experience, there are now more ISPs than there are network
engineers competent to manage delegation, so many ISPs simply don't have
the expertise required to delegate anything correctly - and therefore they
don't do it.
Post by Ugo Bellavance
Post by Adam Thompson
-set pfSense's WAN IP to the first IP in the range (or reserve the
first three if using CARP for HA)
I already planned/reserved 3 IPs in all of my subnets, and with the ISP.
OK :-). Although it's not perfect, pfSense's HA is pretty impressive -
and so easy that you may as well use it!
Post by Ugo Bellavance
Post by Adam Thompson
-set all remaining IPs as CARP-type aliases, and implement inbound
NAT a necessary (maybe including 1:1 for the FTP server)
Ok, but are there drawbacks compared to an alias VIP?
None that I've run into personally. The one I can think of is that you
can't (or rather, shouldn't) run CARP on the same network (or VLAN, or...)
as any Cisco HSRP devices because they use the same Ethertype value but
aren't compatible. Or maybe that was VRRP, can't remember. Not likely to
be an issue for very many people, in any case.

-Adam Thompson
***@athompso.net
Ugo Bellavance
2012-04-04 19:21:29 UTC
Permalink
Post by Adam Thompson
Post by Ugo Bellavance
Ok, but are there drawbacks compared to an alias VIP?
None that I've run into personally. The one I can think of is that you
can't (or rather, shouldn't) run CARP on the same network (or VLAN, or...)
as any Cisco HSRP devices because they use the same Ethertype value but
aren't compatible. Or maybe that was VRRP, can't remember. Not likely to
be an issue for very many people, in any case.
Wouldn't it be simpler to use IP aliases for IP addresses that are not
meant to ever be used for HA?

Thanks,

Ugo
Michael Schuh
2012-04-04 21:22:56 UTC
Permalink
Post by Ugo Bellavance
Ok, but are there drawbacks compared to an alias VIP?
In virtual environments you have to take care that the virtual switches
allow/permit this type of traffic. (p.e. on ESX )
the same rule is valid for physical environments, but the most do it out of
the box.
--
= = = http://michael-schuh.net/ = = =
Projektmanagement - IT-Consulting - Professional Services IT
Michael Schuh
Postfach 10 21 52
66021 Saarbrücken
phone: 0681/8319664
mobil: 0175/5616453
@: m i c h a e l . s c h u h @ g m a i l . c o m

= = = Ust-ID: DE251072318 = = =
Ugo Bellavance
2012-04-05 13:07:58 UTC
Permalink
Post by Ugo Bellavance
Ok, but are there drawbacks compared to an alias VIP?
In virtual environments you have to take care that the virtual switches
allow/permit this type of traffic. (p.e. on ESX )
the same rule is valid for physical environments, but the most do it out
of the box.
You mean for CARP? For now I won't be using HA. I'll start with a
single firewall and if the needs ask for it eventually, I'll setup CARP-HA.
Michael Schuh
2012-04-05 20:04:41 UTC
Permalink
Post by Ugo Bellavance
Ok, but are there drawbacks compared to an alias VIP?
In virtual environments you have to take care that the virtual switches
allow/permit this type of traffic. (p.e. on ESX )
the same rule is valid for physical environments, but the most do it out
of the box.
You mean for CARP? For now I won't be using HA. I'll start with a single
firewall and if the needs ask for it eventually, I'll setup CARP-HA.
Yes. If you like to use CARP, the involved switches have to permit those
traffic.
Some doesn't in their default configuration. For ESX it means to permit
promiscous mode on the switch,
that can lead to a security concern so its a good idea to take care on it
before you step into such security concerns.

http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)#ESX_VDS_Config
Ugo Bellavance
2012-04-07 00:14:26 UTC
Permalink
Am 5. April 2012 15:07 schrieb Ugo Bellavance
Ok, but are there drawbacks compared to an alias VIP?
In virtual environments you have to take care that the virtual switches
allow/permit this type of traffic. (p.e. on ESX )
the same rule is valid for physical environments, but the most do it out
of the box.
You mean for CARP? For now I won't be using HA. I'll start with a
single firewall and if the needs ask for it eventually, I'll setup CARP-HA.
Yes. If you like to use CARP, the involved switches have to permit those
traffic.
Some doesn't in their default configuration. For ESX it means to permit
promiscous mode on the switch,
that can lead to a security concern so its a good idea to take care on
it before you step into such security concerns.
http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)#ESX_VDS_Config
Ok, so I must keep in mind that if I ever use CARP for HA on VMWare, I
must allo promiscuous mode in the switch, but my question was more "Why
should I use CARP now"... I guess the answer is that if I use plain
aliases, I'll have to reconfigure all my VIPs if I ever need to do HA.
Right?
Michael Schuh
2012-04-09 18:08:06 UTC
Permalink
Post by Ugo Bellavance
Am 5. April 2012 15:07 schrieb Ugo Bellavance
Ok, but are there drawbacks compared to an alias VIP?
In virtual environments you have to take care that the virtual switches
allow/permit this type of traffic. (p.e. on ESX )
the same rule is valid for physical environments, but the most do it out
of the box.
You mean for CARP? For now I won't be using HA. I'll start with a
single firewall and if the needs ask for it eventually, I'll setup CARP-HA.
Yes. If you like to use CARP, the involved switches have to permit those
traffic.
Some doesn't in their default configuration. For ESX it means to permit
promiscous mode on the switch,
that can lead to a security concern so its a good idea to take care on
it before you step into such security concerns.
http://doc.pfsense.org/index.**php/Configuring_pfSense_**
Hardware_Redundancy_(CARP)#**ESX_VDS_Config<http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)#ESX_VDS_Config>
Ok, so I must keep in mind that if I ever use CARP for HA on VMWare, I
must allo promiscuous mode in the switch, but my question was more "Why
should I use CARP now"... I guess the answer is that if I use plain
aliases, I'll have to reconfigure all my VIPs if I ever need to do HA.
Right?
ok.
based on those limited informatsions i have and my personal impression:
if you don't know it, do not use it. :8~)

and yes if you use CARP your IP-Setup may be slightly different.

some gerneral rules:

KISS - Keep it super simple (simple as possible)

first make it work, than make it beautiful.

HTH
--
= = = http://michael-schuh.net/ = = =
Projektmanagement - IT-Consulting - Professional Services IT
Michael Schuh
Postfach 10 21 52
66021 Saarbrücken
phone: 0681/8319664
mobil: 0175/5616453
@: m i c h a e l . s c h u h @ g m a i l . c o m

= = = Ust-ID: DE251072318 = = =
Ugo Bellavance
2012-04-10 11:39:07 UTC
Permalink
Post by Ugo Bellavance
Ok, so I must keep in mind that if I ever use CARP for HA on VMWare,
I must allo promiscuous mode in the switch, but my question was more
"Why should I use CARP now"... I guess the answer is that if I use
plain aliases, I'll have to reconfigure all my VIPs if I ever need
to do HA. Right?
ok.
if you don't know it, do not use it. :8~)
and yes if you use CARP your IP-Setup may be slightly different.
KISS - Keep it super simple (simple as possible)
first make it work, than make it beautiful.
HTH
I understand what you mean. At the time I was using m0n0wall, I used
proxy arp. But this time I think I'll use aliases but still reserve 2
other IP addresses in every subnet in case I ever start using CARP HA.

Thanks,

Ugo

Loading...