0

Currently I have a redundant pfSense firewall system set up for our corporate server farm. The main router IPs are sharing an IP address through Carp. Our two public /27 networks are assigned as proxy arp addresses to the wan interfaces and are routed to the shared Carp address. 

IE: 
public carp: 10.10.10.10
firewall 1: 10.10.10.11
firewall 2: 10.10.10.12
network 172.31.1.0/27 routed to 10.10.10.10 
   (proxy arp network assigned to WAN in firewall)
network 172.31.2.0/27 routed to 10.10.10.10
   (proxy arp network assigned to WAN in firewall)

My question is, would it be a better practice to use Carp for those /27 networks? I'm reading a decent amount of warnings that proxy arps can screw up traffic.

My redundancy lies in the firewall, so I dont think that Carp is necessary for the other networks. Any advice that is out there would be helpful?

goose
  • 151
  • 7
  • Can you define what you mean by using proxy arp to route? Do you mean you have the firewall response to the arp requests and then have it route the 172.31.1/2.0/27 addresses? – Kevin Nisbet Dec 10 '09 at 23:20
  • the firewall responds to the public arp requests for the 2 /27 networks and routes requests for various services to the internal network. lets say it is on a 192.168.1.0/24 network internally – goose Dec 11 '09 at 13:23

2 Answers2

1

Proxy ARP isn't going to break anything (assuming it's configured correctly, it's possible to screw up any type of IP configuration and break things), CARP and proxy ARP are just two different means of accomplishing the same end result. If you have redundant firewalls, or want to add a secondary in the future, use CARP. If you need anything running on the firewall itself to bind to the addresses, you have to use CARP (or IP aliases in 2.0). If you don't have a secondary and don't ever plan on adding one, and don't have a need to bind anything on the firewall to those IPs, it doesn't matter either way. Sometimes proxy ARP is preferable if you never want anything on the firewall to be able to bind to those IPs, you're strictly using them for NAT.

The various virtual IPs and which to use where are covered in much more depth in http://pfsense.org/book

Chris Buechler
  • 2,938
  • 14
  • 18
-1

Using proxy arp is almost always a bad idea. It is generally more difficult to diagnose and the caching properties of arp on the various hardware/software you have on your network can make changes in the future harder. While there are cases where proxy arp may be required this isn't one of them (from the parameters you've laid out) and you should really attempt to use carp.

polynomial
  • 3,968
  • 13
  • 24
  • It's not true that it's almost always a bad idea. All proxy ARP does is answer ARP requests for additional IPs using the same MAC as the physical NIC. It's little different from assigning IP aliases or using CARP as far as potential layer 2 issues and troubleshooting goes. see my answer for more details – Chris Buechler Aug 31 '11 at 06:11