On 2015-Mar-09, at 3:34 AM, Matthias May <[email protected]> wrote: > A CARP address has it's own MAC. The IP alias shares the MAC of it's parent > interface. > If you change this while running, your upstream routers/switches will have > the wrong MAC address for your IP cached. > Sending a GARP might help with this. > Or simply wait for the caches to expire. (This "can" take a long time) ...AND... On 2015-Mar-09, at 3:23 AM, Brian Candler <[email protected]> wrote: > As long as all these NAT rules are attached to "WAN" interface, and your VIP > is also attached to "WAN" interface, I can't see why it wouldn't work. As > others have said - changing the type while the firewall is running might > break things. Possibly deleting it and then re-adding it would be better, but > that's only a guess. If minimising downtime is important then simulate the > configuration in a virtual environment first.
Thanks. This makes sense and likely confirms what I'd expected ... minus some of the details. I'll try changing the VIP for the less critical IP at a low-traffic time and also try rebooting the router after the change. I'm betting it's just "didn't wait long 'nuff" ... these explanations and the other responses have helped in the understanding. Thanks, it's appreciated. _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
