Virtual IPs (VIPs) refer to a situation where an IP address does not correspond to a single physical interface. They are used in many scenarios, including the following:

• NAT (including one-to-many NAT)
• Scenarios where fault tolerance is needed (for example CARP)
• Mobile usage scenarios, which allows a mobile user to maintain a consistent virtual IP address even as their actual IP address changes

To add a VIP, navigate to Firewall | Virtual IPs and click on the Add button at the bottom of the table. pfSense offers four options for virtual IPs:

• IP Alias
• CARP
• Proxy ARP
• Other

Of these four options, we can state the following:

• CARP, Proxy ARP, and Other were available with the earliest versions of pfSense. IP Alias is available with version 2.0 and higher.
• All current options can be used with NAT.
• CARP and IP Alias can be used by the firewall to bind and/or run services. Proxy ARP and Other cannot be used in such a way.
• All options except Other generate ARP (Layer 2) traffic. This makes the Other option useful in scenarios where ARP traffic is not needed.
• All options except Proxy ARP can be used for clustering. However, if IP Alias VIPs are used as part of a CARP VIP, then they must be inside the same subnet as the CARP VIP upon which they are placed.
• As of version 2.2, all available options allow you to generate a VIP that is in a different subnet from the real interface IP. However, CARP VIPs did not support this feature prior to version 2.2, and it is recommended that you keep CARP VIPs on the same subnet for better connectivity and fewer potential issues.
• For CARP, the subnet mask must match the interface IP's subnet mask. For IP Alias, the subnet mask should match the interface IP or be /32. If the IPs are in different subnets from the original IP address, then at least one IP Alias VIP must have the correct mask for the new subnet.
• CARP and IP Alias will respond to ICMP ping attempts if the firewall rules allow it; Proxy ARP and Other will not respond to ICMP ping attempts.
• CARP and IP Alias VIPs must be added individually; Proxy ARP and Other may be added individually or as a VIP subnet.

To create a VIP following are the steps:

1. First select one of the four options.
2. Then select a physical interface in the Interface drop-down box.
3. In the Address type drop-down box, you may select either Single address or Network with Proxy ARP or Other.
4. If you selected CARP or IP Aliases, you can only add a VIP individually, so this option will be disabled. In the Address(es) edit box, you enter the VIP or virtual subnet. You also need to specify the CIDR here. What follows are several options that are only available if you selected CARP.
   • For CARP VIPs, you must enter a Virtual IP Password, which can be whatever you like.

• • The next option is the VHID Group drop-down box. Each VIP which is to be shared on multiple nodes must use a unique Virtual Host ID group (VHID), and it must also be different from any VHIDs in active use on any directly connected network interface. If you are not currently using CARP or Cisco's Virtual Router Redundancy Protocol (VRRP) on any other nodes, you can use 1 as your VHID. The next option is the Advertising Frequency drop-down box.
  • The Advertising Frequency value should correspond to this node's role in the network. The master should be set to 1; a backup should be set to 2 or higher.
  • The next parameter is the Skew drop-down, which controls how often (in seconds) the node advertises that it is a member of the redundancy group. Specifying a lower number tends to ensure that this node, if it isn't a master already, will become master if the master node fails. This is the final option on the page that only applies to CARP VIPs.

5. In the Description edit box, you can enter a brief, non-parsed description.
6. When you are done, click on the Save button at the bottom of the page and then click on the Apply Changes on the main Virtual IPs page. We will cover CARP in greater depth in Chapter 8, Redundancy and High Availability.