Re: Will it work?

Tue, 11 Oct 2005 14:04:31 -0700

I've attached a link so you can understand what I'm talking about http://restricted.dyndns.org/target/fw-failover.gif My real confusion is that if I use 209.242.x.102 as carp interface for both of the firewalls lan card, and the webserver is also on the same ip address, I don't think it will work. What is the solution to this kind of scenario? Will RDR work for the same subnet? Neil writes:
hey guys, I'm in a confustion. I'm planning to install a new firewall by changing the freebsd ipf with openbsd's pf. However, with the current ip addresses that we have, I don't know if pf/carp/pfsync will still work in my scenario. I have created a hypothetical 2 test openbsd pf/carp/pfsync firewalls and they are working great. However, the internal lan card uses private ip address and external lan card uses public ip address. The third nic is for the pfsync interface. My confusion now is that, I want to migrate to the openbsd firewall without having to reconfigure ip addresses on the existing webservers. Currently, the settings for the production firewall are 
a.) external lan card is 209.242.x.51/255.255.255.248
b.) 2nd lan card is at 209.242.x.97/255.255.255.240
c.) 3rd lan card is at 209.242.x.113/255.255.255.240
d.) router is at 209.242.x.49/255.255.255.248 The blocks on b and c can be combined together so it becomes /27 or 255.255.255.224. That's what the ISP gave us. We just divided it before since we have another client. That client is gone so I have those ip addresses back to us again and I will be able to use the 3rd lan card for pfsync. There will be 30 hosts in all for this block. My confusion is the carp ip addresses. In my hypothetical network, my setup was NAT. However, in the production, there is no NAT since all ip addresses are public ip address. The webserver is on 209.242.x.102 which is on the second network block, how will I be able to use this ip address as carp ip address? I would like to retain the settings but still able to take advantage of firewall failover via pf/carp and pfsync. Is this possible with my situation or do I really have to change the ip addressing? Thanks, Neil 























					Reply via email to