Re: [pfSense] Running as a VM, multiple WAN subnets
Chris L wrote on Fri, Feb 27 2015 at 12:10 pm: Hopefully the provider can just route the additional subnet to your existing WAN IP. Then you don’t need to do anything with CARP/HA except make sure primary and secondary are both set up to deal with the routed traffic. I think sleep deprivation gets worse after 40...due to 1 year old in my case. After I straightened out some things in my head, the above is what we're pursuing with the DC. It will take a /29 block for the WAN (to get 3 IPs) plus a separate block for the LAN side. I'm also looking at using one of the unused IPs from the /29 to provide NAT to a separate network on private IPs. -- Thanks all, Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Using CARP implies that you care about reliability during edge cases and partial failures. If so, then you need to do it right and use 3 IPs where you want 1 carp. I hear you. I guess part of me just dislikes the possibility of wasting 12 or 18 IPs (6 per subnet) a few years down the road, and yet getting a block of 128 that might never get used is possible also... Just wanted to make sure I wasn't missing something. Steve ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
So if you don't wind up using them for CARP, use them for something else. Get a smaller subnet from your provider and give back the original subnet. If you have multiple subnets, the provider-facing one should not be used for published services; in fact those addresses don't even have to be public IPs! -Adam On March 2, 2015 7:32:06 PM CST, Steve Yates st...@teamits.com wrote: Using CARP implies that you care about reliability during edge cases and partial failures. If so, then you need to do it right and use 3 IPs where you want 1 carp. I hear you. I guess part of me just dislikes the possibility of wasting 12 or 18 IPs (6 per subnet) a few years down the road, and yet getting a block of 128 that might never get used is possible also... Just wanted to make sure I wasn't missing something. Steve ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Steve, Unless you want to impose significant limitations on yourself, you will need a total of 3 IPs for every CARP interface. I've run systems with single-IP CARP, and unless you have absolutely no choice, it's not worth the headache. The unanswered question is how your provider will do routing, and how you expect to accomplish this scenario without NAT. It's too early in the morning for me to figure out your topology right now... -Adam On March 2, 2015 1:05:07 AM CST, Steve Yates st...@teamits.com wrote: Chris L wrote on Fri, Feb 27 2015 at 3:34 pm: On Feb 27, 2015, at 12:37 PM, Steve Yates wrote: Chris L wrote on Fri, Feb 27 2015 at 12:10 pm: Hopefully the provider can just route the additional subnet to your existing WAN IP. Then you don’t need to do anything with CARP/HA except make sure primary and secondary are both set up to deal with the routed traffic. Would that require three LAN side public IPs for the two firewalls out of that second subnet also? It depends on what you want to do with them. If pfSense just routes them to another IP address, then no. You only need 3 IPs when you have to create a pfSense interface with HA. It's been a long weekend and I'm missing something that's probably obvious...the scenario is: no NAT, multiple public IPs in use on the LAN side from two different subnets, and pfSense acting as a firewall. Subnet 1 would need a shared CARP IP and officially two others for WAN on both firewalls (but see below) and the same thing duplicated on the LAN side. The servers on subnet 1 would use the CARP LAN IP from subnet 1 as their gateway. If subnet 2 is routed by the data center to subnet 1's CARP IP, then the way I read the docs it will get to pfSense if I set up an Other virtual IP type, correct? Does pfSense then need to use a public IP Alias from subnet 2 on its LAN side CARP interface to be the gateway for subnet 2? Or if I read the IP Alias section a few more times, does it mean that it would still need the three public IPs for three LAN side aliases (aliases on the two interfaces plus a third alias for the CARP LAN interface). I found this forum thread which points out that, as you suggested in another message, using three public IPs on the WAN side (and hopefully the LAN side) is apparently not required in v2.2. https://forum.pfsense.org/index.php?topic=87546.0 However I found another post which says in part, Without valid IPs on both, the secondary will not be able to independently check for updates or install packages. There would also be no way to directly manage the secondary from a remote location. It couldn't do DNS resolution to a remote DNS server, or even sync its clock to a remote time server. https://forum.pfsense.org/index.php?topic=73584.msg404834#msg404834 ...So those are good points. However does that mean only the second firewall would need a WAN side public IP? (presumably the master would use the CARP WAN IP for its communication, while it is online.). Regarding remote management, my tentative plan was to VPN to the CARP IP so access the firewalls from the LAN side. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold -- Sent from my Android device with K-9 Mail. Please excuse my brevity.___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Steve Yates wrote on Mon, Mar 2 2015 at 1:05 am: the scenario is: no NAT, multiple public IPs in use on the LAN side from two different subnets, and pfSense acting as a firewall. I received an email directly...to perhaps shorten my example, if we have two public subnets 1.1.1.0/28 and 2.2.2.0/28, I would like to use both of those subnets on different servers, use pfSense as the firewall, and use CARP. Is there a way to do that and minimize the number of IPs used? The easy/default way it seems to be would be to use 6 public IPs from each subnet, 3 for CARP on the WAN side, 3 for CARP on the LAN side, and duplicate that for the second subnet. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Steve Yates wrote on Mon, Mar 2 2015 at 9:09 am: I received an email directly...to perhaps shorten my example, if we have two public subnets 1.1.1.0/28 and 2.2.2.0/28, I would like to use both of those subnets on different servers, use pfSense as the firewall, and use CARP. Is there a way to do that and minimize the number of IPs used? Having had more coffee...by on different servers let's assume 8 IPs in each subnet would be in use. I'm trying to plan for a couple years down the road when we need more IPs from the data center, to see if it's better to get a larger block now even though it won't all be used for a while. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Chris L wrote on Fri, Feb 27 2015 at 3:34 pm: On Feb 27, 2015, at 12:37 PM, Steve Yates wrote: Chris L wrote on Fri, Feb 27 2015 at 12:10 pm: Hopefully the provider can just route the additional subnet to your existing WAN IP. Then you don’t need to do anything with CARP/HA except make sure primary and secondary are both set up to deal with the routed traffic. Would that require three LAN side public IPs for the two firewalls out of that second subnet also? It depends on what you want to do with them. If pfSense just routes them to another IP address, then no. You only need 3 IPs when you have to create a pfSense interface with HA. It's been a long weekend and I'm missing something that's probably obvious...the scenario is: no NAT, multiple public IPs in use on the LAN side from two different subnets, and pfSense acting as a firewall. Subnet 1 would need a shared CARP IP and officially two others for WAN on both firewalls (but see below) and the same thing duplicated on the LAN side. The servers on subnet 1 would use the CARP LAN IP from subnet 1 as their gateway. If subnet 2 is routed by the data center to subnet 1's CARP IP, then the way I read the docs it will get to pfSense if I set up an Other virtual IP type, correct? Does pfSense then need to use a public IP Alias from subnet 2 on its LAN side CARP interface to be the gateway for subnet 2? Or if I read the IP Alias section a few more times, does it mean that it would still need the three public IPs for three LAN side aliases (aliases on the two interfaces plus a third alias for the CARP LAN interface). I found this forum thread which points out that, as you suggested in another message, using three public IPs on the WAN side (and hopefully the LAN side) is apparently not required in v2.2. https://forum.pfsense.org/index.php?topic=87546.0 However I found another post which says in part, Without valid IPs on both, the secondary will not be able to independently check for updates or install packages. There would also be no way to directly manage the secondary from a remote location. It couldn't do DNS resolution to a remote DNS server, or even sync its clock to a remote time server. https://forum.pfsense.org/index.php?topic=73584.msg404834#msg404834 ...So those are good points. However does that mean only the second firewall would need a WAN side public IP? (presumably the master would use the CARP WAN IP for its communication, while it is online.). Regarding remote management, my tentative plan was to VPN to the CARP IP so access the firewalls from the LAN side. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Running as a VM, multiple WAN subnets
Steve Yates wrote on Fri, Feb 27 2015 at 12:29 pm: Two WAN IP, two LAN IP, and two more for sync. And reading this, I didn't write what I meant, so to just correct it all, 3 WAN, 3 LAN, and 2 for sync. -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold