Thanks Scott for the Carp and OpenVPN answer. I have just one more.
I have a /29 that I run pfsense in and a /27 subnet of dmz addresses that is
routed to me. I setup incoming load balancing with one of these /27 addresses.
It didn't work. I wasn't sure if creating the virtual server with the dmz
address also created a virtual ip, so I tried both. Neither one worked. I did
set a firewall rule to allow the traffic. I looked at the output of
/tmp/rules.debug and it didn't look like there was anything but an anchor.
I'm using the 2-20 testing snapshot
here's the relevant rules.debug output
# Load balancing anchor - slbd updates
rdr-anchor "slb"
rdr on fxp2 proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on fxp1 proto tcp from any to any port 21 -> 127.0.0.1 port 8022
rdr on xl0 proto tcp from any to any port 21 -> 127.0.0.1 port 8023
The other question has to do with reflection redirects. If I read correctly
these should let me access my public dmz addresses from the lan interface? If
this is correct then these don't work. But they are the least of my concerns as
I've traditionally used split dns. Here's an example reflection rule from
rules.debug.
rdr on fxp0 proto tcp from any to xx.xx.xxx.xx/32 port { 80 } -> 192.168.xx.xx
port 80
# Reflection redirects
rdr on fxp2 proto tcp from any to xx.xx.xxx.xx/32 port { 80 } -> 127.0.0.1 port
19003
rdr on fxp1 proto tcp from any to xx.xx.xxx.xx/32 port { 80 } -> 127.0.0.1 port
19004
rdr on xl0 proto tcp from any to xx.xx.xxx.xx/32 port { 80 } -> 127.0.0.1 port
19005
I do have to say I've put two pfsense nodes into production using failover carp
and it's much nicer then the netscreen we were using. The thing that killed the
netscreen was it's inability to delete 1:1 mappings until the server using that
ip was down for hours. Then the netscreen would notice it was down and let you
delete the mapping. With pfsense it's been so much easier.
Thanks,
Daniel
