pfSense Virtual IP Addresses: Part Two

In the previous article, I covered setting up pfSense virtual IP addresses with Proxy ARP and CARP. In this article, I will cover pfSense virtual IP addreses with IP Alias and Other types.

pfSense Virtual IP Addresses: IP Alias

pfSense virtual IP addreses

Setting up a pfSense virtual IP address with IP Alias in pfSense 2.0.

IP aliasing is the ability to associate more than one IP address to a network interface. With it, one node on a network can have multiple connections to a network, each serving a different purpose. In a sense, it is the reverse of some of the other scenarios envisioned with virtual IP addresses, in which traffic for one IP address can be directed to several different nodes. IP Alias is:

  • New to pfSense 2.0 (and later)
  • Can be used or forwarded by the firewall
  • Allows entire IP addresses to be added to an interface
  • Works on Layer 2 (Data link layer)
  • Can be in a different subnet than the real interface IP
  • Will respond to a ping request if allowed by firewall rules
  • Can be stacked on top of a CARP VIP to bypass VHID limits and lower the amount of CARP heartbeat traffic. Stacked IP Alias VIPs will synchronize via XMLRPC.
  • Can be used with CARP to add additional subnets to CARP, e.g. Add one unique IP Alias from the new subnet to each node, then add CARP VIPs. Must be added to each node individually as these will not synchronize via XMLRPC or else an IP conflict would occur.


To set up a VIP using IP Alias, start at Firewall -> Virtual IPs and once again click on the “plus” button to add a new virtual IP address. Select “IP Alias” as the “Type” with the radio buttons at the top. For “Interface“, select “WAN” (it should be the default). At “IP Addresses“, type an address at “Address” (everything else should be grayed out). At “Description“, add a description if desired. Click on the “Save” button to save the changes, and then on the next screen, click on “Apply changes” if necessary.


pfSense Virtual IP Addresses: Other

“Other” is the only option of the four provided for VIPs in pfSense 2.0 that can be used if routed to the firewall without needing ARP/Layer 2 messages. Its properties are:

  • Can only be forwarded by the firewall
  • Can be in a different subnet than the interface
  • Cannot respond to pings
  • Can be added individually or as a subnet to make a group of VIPs (As of 2.1)
  • Can be used with CARP, e.g. subnet routed to external CARP VIP

Notably, both IP Alias and Other can be used for clustering (master firewall and standby failover firewall).
To add a virtual IP of type “Other”, again navigate to Firewall -> Virtual IPs and click the “plus” button to add a new virtual IP address. At type, choose “Other” with the radio buttons. At “Interface“, select “WAN” (the default). At “IP Addresses“, type an address at “Address” (all other options are grayed out). At “Description“, add a description if desired. Then press “Save” to save the changes and press “Apply changes” if necessary.

As you can see, setting up pfSense virtual IP addresses is almost trivially easy. The more difficult task is deciding which type of VIP is suited for your requirements and choosing accordingly. The official pfSense documentation site has a table which lists some of the features of the different pfSense VIP types, and I am reprinting it here:

VIP Features Table

VIP Features
VIP Type Version NAT Binding ARP/L2 Clustering In Subnet Subnet Mask ICMP Single/Group
CARP 1.x+ Yes Yes Yes Yes Yes Yes Yes Single
Proxy ARP 1.x+ Yes No Yes No No n/a No (1) Either
Other 1.x+ Yes No No Yes (2) No n/a No (1) Either
IP Alias 2.0+ Yes Yes Yes See Notes No No Yes Single

1: ICMP Column represents responses from the firewall itself without NAT. With 1:1 NAT, any VIP will pass ICMP through to the target device. On 2.1+ ICMP can also be used as a protocol in port forward entries.
2: “Other” type VIPs are for routed subnets, and CARP is irrelevant, so they work

External Links:

What are Virtual IP Addresses? at doc.pfsense.org

Be Sociable, Share!

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy