Score:0

Virtual IPs on pfSense

fr flag

Setting up a new pfSense router, and I'm a bit confused on how to choose between IP Alias or Proxy ARP for my needs. I do not intend to setup HA, so I'm assuming CARP is unnecessary.

I have a public CIDR block (203.0.113.0/26) assigned from my ISP and configured as such:

Upstream Gateway: 203.0.113.1
Broadcast: 203.0.113.63
pfSense WAN: 203.0.113.2/26
Management LAN: 10.0.0.1/24
DMZ VLAN: 10.0.10.1/26

Goal: I want to route the remaining public IPs to virtual machines on the DMZ VLAN using 1:1 NAT. These servers will be public-facing web servers. I do plan to use pfBlockerNG to limit unwanted traffic.

Question: Which should be the preferred (or only) option for configuring the virtual IPs given the goal, and why? I've read through the pfSense documentation, but I'm still not 100% sure. Is there a definitive answer or are both acceptable methods?

https://docs.netgate.com/pfsense/en/latest/firewall/virtual-ip-addresses.html?highlight=virtual

Paul avatar
cn flag
Welcome to Server Fault! Please use either your actual IP addresses or IP addresses reserved for documentation as outlined in RFC 5737. Using someone else's assigned IP addresses can make things confusing, especially when using popularly known assigned IP addresses.
Score:0
pl flag

I have set up 1-to-1 NAT for public IP addresses multiple times, and I always use ProxyARP.

The primary difference between IP Aliases and ProxyARP is that aliases can also be bound to local services running on the pfSense machine. Since that is not what you are doing, there's no reason to set it up for that to be allowed. (Note that in addition to 1-to-1 NAT, ProxyARP addresses can also be used for individual port forwarding.)

One important note about setting up ProxyARP: with some providers, you can set up your pfSense to respond to the entire subnet with a single ProxyARP entry, but for other providers, you need to add an individual ProxyARP entry for each public IP. I don't know why this is, but I have found it to be true with multiple providers.

Justin Buckley avatar
fr flag
Thank you for the reply! In regard to your comment about individual port forwarding, does that mean creating a port forward rule, specifying the ProxyARP address as the destination? Also, about the Expansion option under the ProxyARP config: Disable expansion of this entry into IPs on NAT lists (e.g. 192.168.1.0/24 expands to 256 entries.) Is this effectively disabling the specification of the entire subnet, and instead registering it as a single host, or does that mean something different?
pl flag
Yes, you can specify the ProxyARP address as the Destination Address for port forwarding. We use this along with 1-to-1 NAT so we can say "1-to-1 NAT this public IP address to one internal server except for these ports on that address that go to a different server."
pl flag
I have never used the "Disable expansion" checkbox
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.