Netgate SG-1000 microFirewall

Author Topic: About 'stacking' alias ip(s) on a CARP address  (Read 133 times)

0 Members and 1 Guest are viewing this topic.

Offline hcoin

  • Full Member
  • ***
  • Posts: 158
  • Karma: +7/-0
    • View Profile
About 'stacking' alias ip(s) on a CARP address
« on: December 28, 2017, 12:11:32 pm »
I'd like a 'yes' or a correction of the statements below regarding the matter of assigning an ip alias not to an interface address but to a carp address.

1) Each IP alias address stacked onto a CARP address, whether ipv4 or ipv6, will advertise ownership of that address only when the associated system is in carp MASTER mode.

2) It is an enforced pfsense requirement that IP aliases stacked on a CARP address be part of exactly the same subnet (and so ip version) as the associated carp address. (see also specifically denied scenario 9 below).

3) The benefit of this facility is to avoid all the traffic necessary to support a shared address when supporting one is enough to provide the benefit.

4) Every PFsense supported application / facility that listens on all addresses for service will respond to a packet for an ip alias destination stacked on a carp address in no way other than it would for a carp address destination and does not need special notification when the system transitions to/from master status.  It is possible sessions in progress at the time of the transition in status will be dropped mid-session.

5) Every PFsense supported SERVICE application (ntp, dns, etc)  that binds to a specific address can bind to a carp address or an ip alias address whether the system is the CARP master or not, but only will get incoming packets when the system is the CARP master.  There is no need to comprehend how to alert/notify each service that a system's CARP status has changed.  (i.e. 'nonlocal bind' is allowed).  It is possible sessions ongoing at the time of transition to/from master status will be dropped.

6) As of version 2.4.2, there is no facility to bring an interface not associated with the interface participating in CARP up or down depending on, or 'tracking' whether a CARP participating interface is master or not.  (Use case: need to pay for only one public static ip by having the wan interface track a carp address master status on the lan interface.  Presently need 3 public ips currently costing $48/year or so more than one.)

7) As of version 2.4.2, there is no facility to launch a 'shell command' when a particular carp address changes status.

8)  As of version 2.4.2, there is no way to send a pfsense supported service a 'start' or 'stop' command when a chosen carp address changes status to / from Master.

9) If a system has, on one interface, a permanent alias on subnet A, an assigned interface address on subnet B, a CARP address on subnet B, it is not possible to stack a further IP alias address(es) on subnet A active and advertising ownership only when the CARP address on subnet B is master.

How close did I get?  Please post a whole 'corrected true list' in response rather than remarks as to this or that point.