You do not have to NAT to use CARP, all you need is a linknet (/29 or larger) and the other public ip's routed behind the linknet primary ip.
Example. subnet 1.2.3.0/29 1.2.3.1 = gateway ip for WAN interface 1.2.3.2 = CARP common ip for WAN interface 1.2.3.3 = real ip for WAN on firewall 1 1.2.3.4 = real ip for WAN on firewall 2 on opt1 you have subnet 1.2.4.0/26 or whatever you get. (ISP sets up 1.2.4.1/26 to be routed to 1.2.3.2) 1.2.4.1 = CARP common IP for opt1 1.2.4.2 = real ip for opt1 on firewall 1 1.2.4.3 = real ip for opt1 on firewall 2 1.2.4.4-->1.2.4.62 = hosting servers (based on /26 mask) Real servers have 1.2.4.1 as gateway and use 1.2.4.4 to 1.2.4.62 as ip's. Then enable advanced outbound NAT and delete the rule for opt1 or if you choose to use LAN interface for servers then delete the lan rule. You can change the lan range to be public IP's if you like, but i prefer to have the lan zone on a seperate interface in this kind of setup. It makes it easier to fix stuff if you mess up something, and it's nice to have for a VPN setup to reach LAN (remote management etc.) -lsf On 6/29/07, Gary Buckmaster <[EMAIL PROTECTED]> wrote:
It should also be noted that CARP doesn't work with bridged interfaces, so if you want CARP (which for a data center environment, you probably do) you'll want to use the setup that Chris suggested. Chris Daniel wrote: > If you think you will ever need failover using CARP, 1:1 NAT with > virtual IPs is the way to go. A filtering bridge is nice, and yes, a > bit easier, but you can't implement failover with it under pfSense. > Either way you go, it's essentially the same procedure with regard to > maintaining firewall rules. I can't speak to the Asterisk issue, but > maybe someone else can chime in on that. > > > Ugo Bellavance wrote: > >> Hi, >> >> I'm about to have a few servers in the same half-rack in a >> datacenter and I'm thinking about the best setup possible for that: >> >> - Filtering Bridge >> - 1-to-1 NAT >> - Other??? >> >> I'm especially affraid of Asterisk (SIP) behind a 1-to-1 NAT. I don't >> know exactky what are the pros and cons of each. I guess a filtering >> bridge is easier to install, and we configure the hosts behind with >> public IP addresses and it is easier to forget a host unprotected... >> >> Any opinions on this? >> >> Regards, >> >> Ugo >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
