You've made two contradictory statements here:
1) you want to know how to *change* a WAN interface, but
2) "We're moving it over from another firewall..."
Which is it?
Why do you need to do things one step at a time? Again, that
contradicts #2, above.
Also, how much downtime is acceptable?
You also mention VRRP - pfSense doesn't do VRRP, it does CARP. Is the
VRRP from the old firewall? Are you in fact setting up redundant
firewalls, or are you just using CARP as a convenient way to establish
additional IP addresses?
If you're moving to a new firewall, why do you have it connected
directly to the old WAN at all?
Right now, it sounds like you're worrying about trivial items (e.g.
source IP addresses) without having a good big-picture grasp on the
process first. Who cares what source IP address gateway-monitoring ICMP
packets or DNS packets come from? I assume anything originating from
the firewall will by default use the primary interface IP, but I don't
know for sure - that stuff "Just Works" regardless of which IP address
it originates from.
I'll stop here for now until you've addressed the contradiction.
-Adam
On 14-08-06 10:29 AM, Adam Williams wrote:
Hello!
I need to change the WAN interface address to one that is on another
subnet. I need to end up getting off the 50.31.0.0 network altogether,
ultimately, but need to do so one step at a time. However, I'm
concerned that I don't quite understand the implications of changing
the WAN primary IP address. I would very much appreciate any guidance
you might offer.
Suppose the following current configuration of IP addresses on the WAN
interface:
WAN 50.31.0.14
GW 50.31.0.1
ALIAS 50.31.0.25
CARP 50.31.0.71
* Gateway is monitored using SRC 50.31.0.14 ICMP
* DNS forwarding is configured, so SRC 50.31.0.14 UDP
* VRRP packets are SRC 50.31.0.14 TCP
* Clients are connecting to 50.31.0.71 (the CARP address)
* Outbound connections are masqueraded as 50.31.0.71 (the CARP address)
I want to begin the migration by changing the WAN interface address
to, say, 87.54.0.34. Here is what I imagine the configuration needs to
become:
WAN 87.54.0.34
GW2 87.54.0.29
GW (default) 50.31.0.1
ALIAS 50.31.0.25
CARP 50.31.0.71
My first question would be, will this work? More specifically, what
will be the SRC IP address of the a) gateway monitoring, b) DNS, and
c) VRRP traffic?
The gateway monitoring traffic would have to choose the ALIAS address
for GW, and the WAN address for GW2; the routes to those subnets would
be used (a direct link). It seems the DNS traffic would end up with
SRC 87.54.0.34; the default gateway is not on the same subnet and
would therefore drop the packets. Would VRRP traffic for 50.31.0.71
choose the ALIAS address, since it's the only one on the subnet of the
CARP address?
However, perhaps complicating things, we do not yet have the subnet of
the new WAN IP address routing over our uplink. We're moving it over
from another firewall and want to preconfigure this firewall as much
as possible to host the new subnet, so that we might minimize downtime
for connections to 87.54.0.34. Therefore, we cannot yet receive
packets at 87.54.0.34; the gateway 87.54.0.29 is unreachable.
Will this plan work at all, or is the role of the WAN address so
critically important that we really cannot preconfigure it for a new
subnet like this?
Please let me know if this is not clear enough to help.
Thank you!
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
--
-Adam Thompson
athom...@athompso.net
Cell: +1 204 291-7950
Fax: +1 204 489-6515
_______________________________________________
List mailing list
List@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/list
