On Sat, 2005-10-22 at 14:39 -0500, Randy B wrote:
> > > > Basically I'm concerned about "what if it fails?" - keeping same as > > external IPs would allow me to simply take of pfSense and temporary use > > local firewalls. It is not great but better than having it down. > > After thinking further, I think I'd recommend the NAT, myself - that > way, should one of your internal hosts fail, it would be a rather simple > operation to map it's external IP to another internal host's internal IP. Right. My point in this case if pfsense fails I can't simply remove it and have my boxes directly available to the internet. This might sound strange and insecure but I hope this will not need to happen plus - this is hosting environment - these are Linux boxes which already do not have much stuff open outside so the risks are not that high. > > You'd either set up a mapping between, say, 192.168.0.1/29 and your > external block. pfSense would then map 192.168.0.1 to your first > external up through 192.168.0.8 to your last; you could also do that > mapping manually, it's really up to you. You'd still maintain the > internal private IPs, and would probably want to set up your internal > DNS to point to them instead of your external ones, but (depending on > what firewall rules you set up) will have access to each one of them via > their independent external IPs. Right. I actually though to use load balancer for HA purpose - well if it works as needed. Also in worse case scenario I can simply change external address on the box - this is not a bit problem as I have "private" interface going. > > That, and I too recommend putting up two firewalls and CARPing between > them - even with reasonably cheap hardware, you're going to get far > greater reliability and easier maintenance than with one really > expensive, really good piece of hardware. If your concern is > availability, that, by far, is the way to go. Right. I guess I will be looking at CARP later on if high availability does not proves to be enough. I have smaller, kind of hobby project which I'm to use this for so If I can fix problem in half an hour it is already good enough. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
