Virtual IPs

Defensebolt enables the use of multiple public IP addresses in conjunction with NAT or local services through Virtual IPs (VIPs).

There are four types of Virtual IPs available in DefenseBolt:IP Alias, CARP,Proxy ARP, and Other. Each is useful in different situations. In most circumstances, pfSense will need to provide ARP on your VIPs so you must use IP Alias, Proxy ARP or CARP. In situations whereARP is not required, such as whenadditional public IPs are routed by your provider to your WAN IP, use Other type VIPs.

Browse to Firewall> Virtual IPs.

../_images/image138.png

Click the plus button to add a new virtual IP address.

../_images/image223.png

Choose as Type.

Select the WAN as the Interface.

Specify the IP Address.

Add a Description.

../_images/image314.png

IP Alias

IP Alias type VIPs were added in Defensebolt 2.x, so they are a fairly recent addition. IP Aliases work just like any other IP address on an interface, such as the actual interface IP address. They will respond to layer 2 (ARP) and can bind services like CARP. They can also be used to handle multiple subnets on the same interface. DefenseBolt will respond to ping on an IP Alias, and services on the firewall that bind to all interfaces will also respond on the IP Alias VIP, unless the VIP is used to forward those ports in to another device.

Note

IP Alias VIPs can use Localhost as their interface if you want to bind services using IPs from a block of routed addresses without specifically assigning the IPs to an interface. This is mostly useful in a CARP scenario so that IPs do not need to be used up by a CARP setup (one IP each per node, then the rest as CARP VIPs) when the subnet does not need to exist outside of the firewall’s usage for binding services, NAT, and so on.

../_images/image3.11.png

IP Aliases on their own do not sync toXML-RPC Configuration Sync peers because that would cause an IP conflict. One exception to this is IP Alias VIPsusing a CARP VIP “interface” for theirinterface. Those do not result in a conflict, so they do synchronize. Another exception is IP Alias VIPs bound to Localhost as their interface. Because these are not active outside of the firewall node, there is no chance of a conflict so they will also synchronize.

Proxy ARP

../_images/image514.png

Proxy ARP functions strictly at layer 2, simply providing ARP replies for the specified IP address or CIDR range of IP addresses. This allows DefenseBolt to forward traffic destined to that address according to your NAT configuration. The address or range of addresses are not assigned to any interface on DefenseBolt, because they don’t needto be. This means no services on DefenseBolt itself can respond on these IPsThis is generally considered a benefit,as your additional public IPs shouldonly be used for NAT purposes. Proxy ARP VIPs do not sync to XML-RPC Configuration Sync peers because that would cause an IP conflict.

CARP

../_images/image410.png

CARP VIPs are mostly used with redundant deployments utilizing CARP. For information on using CARP VIPs, see High Availability about hardware redundancy

Some people prefer to use CARP VIPs even when using only a single firewall. This is usually because DefenseBolt will respond to pings on CARP VIPs if your firewall rules permit this traffic(the default rules do not, for VIPs on WAN). Though IP Aliases may also be used for that, using CARP VIPs also prepares you for the future in case you decide to change this firewall into a redundant cluster setup.

DefenseBolt will not respond to pings destined to Proxy ARP and Other VIPs regardless of your firewall rule configuration. With Proxy ARP and Other VIPs,you must configure NAT to an internalhost for ping to function. See Network Address Translation for more information.

CARP VIPs and IP Alias VIPs can be combined in two ways.

../_images/image4.15.png
  • To reduce the amount of CARP heartbeats by stacking IP Alias VIPs on CARP VIPs. See Using IP Aliases to Reduce Heartbeat Traffic.
  • To use CARP VIPs in multiple subnets on a single interface.

Other

../_images/image514.png

Other VIPs allow you to define additional IP addresses for use when ARP replies for the IP address are not required. The only function of adding an Other VIP is making that address availablein the NAT configuration screens. Thisis useful when you have a public IP blockrouted to your WAN IP address, IP Alias, or a CARP VIP.