Currently I have a redundant pfSense firewall system set up for our corporate server farm. The main router IPs are sharing an IP address through Carp. Our two public /27 networks are assigned as proxy arp addresses to the wan interfaces and are routed to the shared Carp address.
IE:
public carp: 10.10.10.10
firewall 1: 10.10.10.11
firewall 2: 10.10.10.12
network 172.31.1.0/27 routed to 10.10.10.10
(proxy arp network assigned to WAN in firewall)
network 172.31.2.0/27 routed to 10.10.10.10
(proxy arp network assigned to WAN in firewall)
My question is, would it be a better practice to use Carp for those /27 networks? I'm reading a decent amount of warnings that proxy arps can screw up traffic.
My redundancy lies in the firewall, so I dont think that Carp is necessary for the other networks. Any advice that is out there would be helpful?
Best Answer
Proxy ARP isn't going to break anything (assuming it's configured correctly, it's possible to screw up any type of IP configuration and break things), CARP and proxy ARP are just two different means of accomplishing the same end result. If you have redundant firewalls, or want to add a secondary in the future, use CARP. If you need anything running on the firewall itself to bind to the addresses, you have to use CARP (or IP aliases in 2.0). If you don't have a secondary and don't ever plan on adding one, and don't have a need to bind anything on the firewall to those IPs, it doesn't matter either way. Sometimes proxy ARP is preferable if you never want anything on the firewall to be able to bind to those IPs, you're strictly using them for NAT.
The various virtual IPs and which to use where are covered in much more depth in http://pfsense.org/book