On 09/03/2015 10:10, Bryan D. wrote:
Nope, it's a fully functioning setup (has been, in this form, for a few years)
... just wanted to switch off CARP VIPs since I'm not using failover. The only
question is why won't IP Alias VIPs replace the CARP VIPs?
If these extra addresses belong on the firewall's outside (WAN) subnet,
then they need to respond to ARP. As far as I can see, both Proxy ARP
VIP and IP Alias VIP ought to work for this.
I have one firewall with a similar setup here (extra public IP for
inbound NAT), and it uses a Proxy ARP VIP. And I have another firewall
which is using an IP Alias VIP, in this case attached to a WAN-CARP
interface. Both are working.
As long as all these NAT rules are attached to "WAN" interface, and your
VIP is also attached to "WAN" interface, I can't see why it wouldn't
work. As others have said - changing the type while the firewall is
running might break things. Possibly deleting it and then re-adding it
would be better, but that's only a guess. If minimising downtime is
important then simulate the configuration in a virtual environment first.
Regards,
Brian.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
