Fail-over IPs are IPs that you can assign to any host servers you have with OVH. When the host fails, assign the IP to another one running the same service and OVH will route traffic up to this new host. This is your job to make your host and the firewall in front of it (if any) handle this extra IP. This help to guarantee continuity of service !
First remember the network schema I use for testing. I want to add the fail-over IP 192.168.168.2 to my WEB server running on 10.0.0.2.
I have 3 possibilities :
First, I create an IP Alias for 192.168.168.2 on the WAN side to allow the firewall to reply to ARP requests on this side:
Then I create a 1 on 1 rule to forward traffic up to IP 10.0.0.2.
Now I have to update my filter rules to let traffic for this new address pass trough. I have two ways :
I create a webserver host alias and assign it both addresses : 10.0.0.2 and 192.168.168.2.
Then I use the name webserver instead of IP 10.0.0.2 in all my firewall rules :
Because this is NAT, you don't need to assign IP 192.168.168.2 to your host.
I don't detail to much this solution, for short:
If you need more ports forwarding then add more NAT rules. Because this is NAT, you don't need to assign IP 192.168.168.2 to your host. You can even forward different ports up to different host inside your DMZ.
I like routing but not this time ! This was my first choice for version 1.2.X, but the setting is a little more tricky this time because of changes in the routing interface ! . Use it only if you need routing instead.
I have to add a route that bring packets for 192.168.168.2 on the WAN side to 10.0.0.2 on the DMZ side. One operation was required using 1.2.X, pfSense 2.0 require 3 ! First add a Proxy Arp entry to reply to ARP request for 192.168.168.2 on the WAN side :
Second, add 10.0.0.2 to the gateway list.
And last, setup the route for host 192.168.168.2 :
Now I have to update filter rules to let traffic for this new address pass trough. Look at 1 on 1 above to see how I do.
Finally don't forget to assign IP 192.168.168.2 to your host.
The server has 2 IPs. To answer to requests from outside, it will use the same source address as the destination address in the original request. This is fine ! But to open new connections it will choose the IP depending the outgoing route. And because the default gateway is 10.0.0.1, it will use 10.0.0.2. This is not very nice. Some applications accept to force the source IP, but not all. Using source NAT would make the use of 10.0.0.2, useless because replies would always come 192.168.168.2 even if destination was 10.0.0.2 and remote source would not understand why it get reply from 10.0.0.2 instead of 192.168.168.2. Then choose 1 on 1 instead !