Virtual IP Address Feature Comparison

This document summarizes and compares capabilities of the different Virtual IP Address types.

See Virtual IP Addresses for detailed information about each type of VIP.

VIP Features Table

Virtual IP Address Feature Comparison

VIP Type

NAT

Binding

ARP/L2

Clustering

Subnet Mask

ICMP

Single/Range

IP Alias

Yes

Yes

Yes

See Notes

See Notes

Yes

Single

CARP

Yes

Yes

Yes

Yes

Yes

Yes

Single

Proxy ARP

Yes

No

Yes

No

n/a

No (1)

Either

Other

Yes

No

No

Yes (2)

n/a

No (1)

Either

Notes:

  1. The ICMP column represents responses from the firewall itself without NAT. With 1:1 NAT or port forwards, any VIP will pass ICMP through to the target device.

  2. “Other” type VIPs are for routed subnets, and CARP is irrelevant, so they are compatible with HA (See below)

Virtual IP Feature Summary

It is difficult to express all details of VIP capabilities in a table format, so this section contains a more thorough overview of the various types and what they can/cannot do a bullet point format.

IP Alias

  • Can be used for NAT.

  • Can be used by the firewall itself to bind/run services.

  • Adds extra IP addresses to an interface.

  • Generates ARP (Layer 2) responses for the VIP address.

  • Can be in a different subnet than the real interface IP address when used directly on an interface.

  • Will respond to ICMP ping if allowed by firewall rules.

  • Must be added individually

  • Subnet mask should match the interface IP, or /32. Matching the interface subnet is best. For IP addresses in different subnets at least one IP alias VIP must have the correct mask for the new subnet.

  • Can be stacked on top of a CARP VIP to bypass VHID limits and lower the amount of CARP heartbeat traffic.

    • Stacked IP Alias VIPs will synchronize via XMLRPC.

    • Stacked IP Alias VIPs must be inside the same subnet as the CARP VIP upon which they are placed.

  • Can be added to localhost for binding services in routed subnets. IP Alias VIPs bound to localhost will synchronize via XMLRPC

CARP

  • Can be used for NAT.

  • Can be used by the firewall itself to bind/run services.

  • Generates ARP (Layer 2) traffic for the VIP.

  • Can be used for clustering (master firewall and standby failover firewall.)

  • CARP VIPs may be in other subnets.

  • Will respond to ICMP ping if allowed by firewall rules.

  • Must be added individually.

  • Subnet mask must match the interface IP address.

  • Generates its own MAC address for the VIP. This MAC is different than its physical parent interface.

Proxy ARP

  • Can be used for NAT.

  • Cannot be used by the firewall itself to bind/run services.

  • Generates ARP (Layer 2) traffic for the VIP.

  • Can be in a different subnet than the real interface IP.

  • Will not respond to ICMP ping.

  • Can be added individually or as a subnet to make a group of VIPs.

Other

  • Can be used for NAT.

  • Cannot be used by the firewall itself to bind/run services.

  • Can be used if the address is routed to the firewall without needing ARP/Layer 2 messages. (e.g. Upstream provider routes a subnet to the WAN IP address)

  • Can be in a different subnet than the real interface IP address.

  • Will not respond to ICMP echo requests.

  • Can be added individually or as a subnet to make a group of VIPs.

  • Can be used with CARP, e.g. subnet routed to external CARP VIP.