On Tue, Jun 1, 2010 at 12:24 PM, Matias <matiassu...@gmail.com> wrote: > El 01/06/10 18:09, Evgeny Yurchenko escribió: >> >> Matias wrote: >>> >>> El 01/06/10 17:14, Evgeny Yurchenko escribió: >>>> >>>> Matias wrote: >>>>> >>>>> El 01/06/10 17:00, Evgeny Yurchenko escribió: >>>>>> >>>>>> Matias wrote: >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I've an internet connection on which my ISP provides a /29 network, >>>>>>> just one IP for my pfSense (1.2.1) box and on ip for their gateway. >>>>>>> >>>>>>> I'd like to set up this IP as CARP and be shared with the second >>>>>>> pfSense box I have, but as far as I understand, in order to have this >>>>>>> IP address as CARP I must set up another two IPs on **the same >>>>>>> range** >>>>>>> the CARP IP is.But I don't have more real IPs. >>>>>>> >>>>>>> What is your recommendation in this situation? >>>>>>> >>>>>>> >>>>>>> Thanks for your help. >>>>>>> >>>>>> /29 gives you 6 usable IPs. >>>>>> pfSense-1 >>>>>> pfSense-2 >>>>>> Gateway >>>>>> and you can configure 3 CARPs. >>>>>> >>>>>> Evgeny. >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: >>>>>> support-unsubscr...@pfsense.com >>>>>> For additional commands, e-mail: >>>>>> support-h...@pfsense.com >>>>>> >>>>>> Commercial support available - https://portal.pfsense.org >>>>>> >>>>>> >>>>> >>>>> >>>>> Sorry, it is a /30 actually. >>>>> >>>> Oh. In this case you have to get more public IPs from your provider. >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: >>>> support-unsubscr...@pfsense.com >>>> For additional commands, e-mail: >>>> support-h...@pfsense.com >>>> >>>> Commercial support available - https://portal.pfsense.org >>>> >>>> >>> >>> Do you know if with pfSense 2.0 there will be the option to usea a >>> CARP IP outside the interface(s) network? >>> >> To me it just does not make sense - to use IPs on WAN than can not be >> routed to you by Provider. What for? >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: >> support-unsubscr...@pfsense.com >> For additional commands, e-mail: >> support-h...@pfsense.com >> >> Commercial support available - https://portal.pfsense.org >> >> > > The only IP reacheable from my ISP point of view should be the CARP one. Why > would I like to have two routeable (and payed) public IP addresses on the > real interfaces of each pfsense box that I'm not going to use ever? > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: support-unsubscr...@pfsense.com > For additional commands, e-mail: support-h...@pfsense.com > > Commercial support available - https://portal.pfsense.org > >
A typical deployment where redundant firewalls come into play would be a router on the edge with a switch behind it, and both firewalls on the switch. if you have a vlan capable switch like a cisco 2950 or something, you can handle outside, inside, and the betwen-box carp traffic all on the same switch. And still have room leftover for your LAN switching needs. 2950s tend to go for between $50 and $75, and their ability to do things like VLAN an spanning tree make their real value per dollar pretty damn high over what you can get at best buy. It struck me as odd at first to have a router outside the firewall since the firewall is the "hardest" box, and it would make sense for it to be furthest on the periphery of my network. But all a router is really doing is passing traffic from the ISP into the LAN. As long as you configure it to just pass traffic and allow telnet/ssh access from the LAN only, there is really very little to exploit. a simple cisco 2600 series router with 2 ethernet interfaces will take care of most peoples LAN <-> WAN routing needs and can be had for very cheap. for a little more you can even put an etherswitch module in it and take all your CARP traffic off the LAN switch. I usually reccommend a cisco router over a BSD box for WAN delivery duty since they rarely if ever need patching, they do simple wan delivery marvelously well, the config is dead simple, and they very very rarely fail. Just pass all traffic through it using a single NAT/PAT pool to give your pfsense boxen a few addresses to work with, and have your pfsense box do any rules/translations/etc for the LAN. A Cisco 2611xm or 2621xm can be had for under 200 on ebay. cheaper if you spend a little time hunting. I usually reccommend the XM models since they have much better throughput than the non-xm models of the same numbers. And a 16 mbit cable connection stresses them pretty hard (they were intended as T1 routers, modern broadband blows T1s away). But this is how you can easily do CARP with only 1 public IP being served to your premesis. Just think of your cisco router as another telco router... Set it up and forget it's there, and pretend like your pfsense boxes are the real edge devices. You might be thinking "well then I don't have redundancy anymore"... but chances are the next hop box your redundant pfsense boxes talk to isn't redundant anyways, so any way you think about it you lose redundancy upstream anyways. Of course buying cisco gear rubs some open source people the wrong way, and paying ~300 for network infrastructure rubs people that are re-purposing secondhand or discarded/retired computers the wrong way. You could always use a BSD box as your edge router, but then you're right back where you started. But a solid network infrastructure is valuable when doing relatively complex (topologically speaking) things like redundant firewall setups. And I dont really feel like buying cheap EOL'd cisco gear off ebay is "sucking up to the man". Just some things to think about. I work security engineering in a very large managed services company tending to tons of networks from small to international. And in almost every setup the edge device is a router of some sort with redundant firewalls sitting just behind it, and the edge router is often not redundant. Getting a fire-and-forget router with virtually nothing to exploit or worth exploiting for your edge is a pretty solid compliment to a redundant firewall setup. --------------------------------------------------------------------- To unsubscribe, e-mail: support-unsubscr...@pfsense.com For additional commands, e-mail: support-h...@pfsense.com Commercial support available - https://portal.pfsense.org