[pfSense] Virtual IPs: Carp or proxy arp?
athompso at athompso.net
Thu Mar 22 08:32:34 EDT 2012
> On 2012-03-21 21:22, Adam Thompson wrote:
> > Based on that very high-level summary:
> > -assuming the /28 isn't a true routed /28,
> I would have to ask my ISP to get the answer?
> What is a true routed subnet? It means that every IP address in the
> subnet is availabie in a switch in which you connect your ISP's
> network cable or is it that you must use a firewall or router of
> your own to address those IPs?
I knew you were going to ask that :-). By my definition, a routed subnet
is one where you control a router that has (at least) two interfaces, the
entire /28 is bound to one of them, and the other interface has an IP
address that is *outside* the subnet.
In other words, the ISP delegates the entire subnet to you, and tells you
what (static) IP address they expect to reach you *through*. Delegations
in this traditional style are becoming increasingly rare, because with
advances in OSS software and hardware, it has become very easy for them to
allocate you chunks of IP space directly (without needing a router).
Also, the average consumer connecting to the internet actually *prefers* a
bunch of IPs they can use directly without having to set up a router.
When you *have* a router, however, it adds complications like 1:1 NAT.
I haven't seen any ISP delegate anything smaller than a /24 for quite a
few years now. It does make the ISP's routing more complex when they
delegate (routing table size increases, and someone has to provision
either static routes or BGP peering), so many avoid doing so at all.
Based on my experience, there are now more ISPs than there are network
engineers competent to manage delegation, so many ISPs simply don't have
the expertise required to delegate anything correctly - and therefore they
don't do it.
> > -set pfSense's WAN IP to the first IP in the range (or reserve the
> > first three if using CARP for HA)
> I already planned/reserved 3 IPs in all of my subnets, and with the
OK :-). Although it's not perfect, pfSense's HA is pretty impressive -
and so easy that you may as well use it!
> > -set all remaining IPs as CARP-type aliases, and implement inbound
> > NAT a necessary (maybe including 1:1 for the FTP server)
> Ok, but are there drawbacks compared to an alias VIP?
None that I've run into personally. The one I can think of is that you
can't (or rather, shouldn't) run CARP on the same network (or VLAN, or...)
as any Cisco HSRP devices because they use the same Ethertype value but
aren't compatible. Or maybe that was VRRP, can't remember. Not likely to
be an issue for very many people, in any case.
athompso at athompso.net
More information about the List