Bill,
thanx for your help, I'll go try it
that's smart, just route via the HA CARP addresses.
both pfsense boxes will have the 'virtual IP' type 'other'. But only one pfsense box will get the traffic for them, because of the CARP and L3 routing.
Layer2 ARP rubbish wont come into it, becuase it mostly using Layer3 routing. CARP does the mucking at Layer2, but for only 1 subnet. The other subnets wont even appear on a layer2 arp list (possibly only within pfsense).
very smart, that was the piece of the puzzle I had missing.
BTW: I'd love to help doco bits and pieces as I learn, the doco on pfsense is way too slim. Perhaps lots of blue 'i''s for info next to most fields, and link them to a public wiki, and give us userland folks some access to write up what things mean.
| |
| SCOTT FARRELL | |
| IBM
CERTIFIED Consultant | |
| m | 0412 927 156 |
| p | 02 9411 3622 |
| f | 02 8214 6426 |
| a | IBM Building,
The Atrium 601 Pacific Highway, St Leonards NSW 2065 |
| w | www.icconsulting.com.au |
| "Bill Marquette"
<[EMAIL PROTECTED]>
19/09/2006 09:58 AM
|
|
On 9/18/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
I have read everything I can find.
including
http://doc.m0n0.ch/handbook/faq-ipalias.html
I have multiple C class subnets, (2 are continuous - so its a /23 ... nice, a seperate /24, and a seperate /29).
the /29 is used for routing the other address (I think).
On the /29, pick an IP to use CARP on and make the /23 and /24 next hops be the CARP IP on the /29.
I want to use DMZ servers with private IPs - so I think that cuts out routing (as suggested in monwall doco above).
eventually I'll get down and dirty with VLANs, and have different public IPs being sent to different private subnets, over differ VLANs.
What I'd really like:
- use CARP to failover everything I do. Currently works great on the /29
- I am guessing I need to list the IPs somewhere - like in 'virtuals IPs', otherwise other tools wont place nice.
Yep, at some point I want to make this a little nicer, but for now you'll have to enter each IP in one by one (I'd recommend entering one or two, reading config.xml and figuring out what it's supposed to look like and scripting the remainder)
- I am also trying to avoid cascading pfsense boxes, like routing from one to another, and the second doing the NAT - as it is the opposite of high availability.
Shouldn't need to do this.
Just saw a bloke playing with proxyarp.I cant proxy arp - as I dont think that will failover at all.
Correct, likely won't help you. You really want to use routing.
1:1 NAT is no good to me, as I'll want different subnets for different addresses later.
This looks most promising: (from the monowall link above)
NAT
* inbound/server NAT
Use this if you want to redirect connections for different ports of a given public IP address to different hosts (define one or more of your secondary IP addresses for server NAT, then use them with inbound NAT as usual).
but its not real explicit. 'server nat' is that via 'load balancer' for pfsense? or is that just normal old 'nat port forward' - but how do I select the addresses ?
I suspect this is a m0n0'ism, pfSense shouldn't use that terminology. You want a virtual IP as you alluded to above. Then create a port forward, choose the virtual ip to be forwarded...the port, the dest server, dest port...etc and have at it
perhaps seperate clusters of pfsense for each subnet (3 clusters in my case)
Nah, just need one cluster with a carp virtual ip on each and a slew of "other" virtual IPs on WAN
ideas ?
--Bill
