I have read everything I can find.
including
http://doc.m0n0.ch/handbook/faq-ipalias.html
I have multiple C class subnets, (2 are continuous - so its a /23 ... nice, a seperate /24, and a seperate /29).
the /29 is used for routing the other address (I think).
On the /29, pick an IP to use CARP on and make the /23 and /24 next hops be the CARP IP on the /29.
I want to use DMZ servers with private IPs - so I think that cuts out routing (as suggested in monwall doco above).
eventually I'll get down and dirty with VLANs, and have different public IPs being sent to different private subnets, over differ VLANs.
What I'd really like:
- use CARP to failover everything I do. Currently works great on the /29
- I am guessing I need to list the IPs somewhere - like in 'virtuals IPs', otherwise other tools wont place nice.
Yep, at some point I want to make this a little nicer, but for now you'll have to enter each IP in one by one (I'd recommend entering one or two, reading config.xml and figuring out what it's supposed to look like and scripting the remainder)
- I am also trying to avoid cascading pfsense boxes, like routing from one to another, and the second doing the NAT - as it is the opposite of high availability.
Shouldn't need to do this.
Just saw a bloke playing with proxyarp.I cant proxy arp - as I dont think that will failover at all.
Correct, likely won't help you. You really want to use routing.
1:1 NAT is no good to me, as I'll want different subnets for different addresses later.
This looks most promising: (from the monowall link above)
NAT
* inbound/server NAT
Use this if you want to redirect connections for different ports of a given public IP address to different hosts (define one or more of your secondary IP addresses for server NAT, then use them with inbound NAT as usual).
but its not real explicit. 'server nat' is that via 'load balancer' for pfsense? or is that just normal old 'nat port forward' - but how do I select the addresses ?
I suspect this is a m0n0'ism, pfSense shouldn't use that terminology. You want a virtual IP as you alluded to above. Then create a port forward, choose the virtual ip to be forwarded...the port, the dest server, dest port...etc and have at it
perhaps seperate clusters of pfsense for each subnet (3 clusters in my case)
Nah, just need one cluster with a carp virtual ip on each and a slew of "other" virtual IPs on WAN
ideas ?
--Bill
