Adam, thank you for your time and questions. On Wed, Aug 6, 2014 at 12:04 PM, Adam Thompson <athom...@athompso.net> wrote:
> You've made two contradictory statements here: > 1) you want to know how to *change* a WAN interface, but > 2) "We're moving it over from another firewall..." I've got two firewalls, F1 and F2, facing the public internet, each hosting different public subnets, N1 and N2. There are computers behind them which are dual homed - connected to both firewalls. I want to make F2 host both N1 and N2, decommissioning F1. Then I'll decommission N2. Since I want to decommission N2, I thought I should make the WAN interface of F2 configured for N1. > Why do you need to do things one step at a time? Again, that contradicts > #2, above. I want to configure 87.54.0.34 (N1) on F2 before having the IP addresses moved from F1, because of the acceptable downtime of... > Also, how much downtime is acceptable? about 60 seconds. Hopefully my following answers will clarify how I think this can be done. > You also mention VRRP - pfSense doesn't do VRRP, it does CARP. Is the VRRP > from the old firewall? It may be the uplink switches are making these VRRP advertisements. I realize I do not understand perfectly how the protocol is implemented, and assumed there was a relationship with CARP, though it's clear enough now that they are different tech solving similar problems. I suppose I need to read up on VRRP to understand why my F2 WAN address (50.31.0.14) is the SRC address of these advertisements. > Are you in fact setting up redundant firewalls, or > are you just using CARP as a convenient way to establish additional IP > addresses? Once I have the configuration I want, I will be adding another pfSense firewall as a sync slave of F2. > If you're moving to a new firewall, why do you have it connected directly to > the old WAN at all? The switches our old VLANs operated on are being replaced. There were new VLANs created on the new switches, and the computers were made to be dual homed for a time so I could work through getting all the services running over the new switch VLANs/subnets. F2 is the firewall of the new switch VLANs/subnets. Now that the computers behind the firewalls are communicating over the new switches through F2, I'm ready to move the IP addresses of F1 over, as I've mentioned. The ONLY reason we need the old WAN on F2 at all is because outbound connections to third parties must come from addresses in the old WAN. That is happening today because the computers are still routing Internet-bound connections through F1. Does this clarify things? > Right now, it sounds like you're worrying about trivial items (e.g. source > IP addresses) without having a good big-picture grasp on the process first. > Who cares what source IP address gateway-monitoring ICMP packets or DNS > packets come from? I really don't care at all, except that I thought this information would be useful to demonstrate that the SRC address is currently the primary address (source address selection). When the primary address of the WAN interface becomes an IP address which is not known to the default gateway of F2, I have no reason to think that packets now having the N1 address will go anywhere. F2 cannot yet reach the gateway of N1. F1 must hold the N1 address until the last moment, since the computers are still routing Internet-bound connections through F1, and I do not believe I have the option of having F1 and F2 on the same uplink both claiming the N1 address. > I assume anything originating from the firewall will by > default use the primary interface IP, but I don't know for sure - that stuff > "Just Works" regardless of which IP address it originates from. I would assume the same thing, and I even think we can say this is the case based on the SRC IP address of the aforementioned packets. Again, if the WAN primary address is one not on the subnet of the default gateway, I believe it will be dropped; the gateway of N1 is not yet reachable. If I am able to put F2 in a position where it's nearly completely configured to host N1, such that I can have N1 moved to F2, change outbound NAT on F2 to use the address of N1, use N1 as the default gateway of F2, and immediately change the routing of the computers behind the firewall so that they make Internet-bound connections through F2, I'll be happy. If I have to move N1 to F2 before I can configure F2 this way, downtime will be longer. > I'll stop here for now until you've addressed the contradiction. > > -Adam Again, thank you for your time and for asking for clarification! Adam Williams _______________________________________________ List mailing list List@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/list