I'm afraid I will need some more help with this. (Yes, I am really that retarded). I can't play around with the designated systems right now because they're a) down b) remote, and I won't have any quality time in the colo, so I would like leaving the system in a minimally working setup which I can then modify remotely in a series of safe steps, each more or less possible to recover from (in a pinch, asking for a remote console).
I've since figured out that what I originally wanted was a filtered bridge -- but that setup is incompatible with http://cvstrac.pfsense.com/tktview?tn=1194 carp, so I wouldn't be able to get a failover setup a la http://pfsense.iserv.nl/tutorials/carp/carp-cluster-new.htm Assuming I start with two systems configured identically as a filtered bridge (only one of which is active as a firewall at a time, of course), is there a safe migration pathway to a real CARP failover cluster? Oh, I presume that has been answered with http://forum.pfsense.org/index.php?PHPSESSID=895d849f5301db2b5cd3c7f4a50af59b&/topic,1903.new.html#new already. On Wed, Dec 20, 2006 at 07:02:10PM -0000, Greg Hennessy wrote: > > > interface itself? Perhaps that's the wrong approach. > > Do I need WAN/LAN bridging? Something else? > > Start subnetting, create a /29 for the external untrusted interface(s) + > vips. With VIPS you mean virtual IPs for the firewall, and CARP interfaces. A /29 has 8 total IPs, 6 of them usable. Idiot question: why do I need so many? > Take the remainder and salt and pepper amongst dmz interfaces as required. My problem is that I only have two interfaces in the system, WAN and LAN. > If you're going to use vlans, do not mix zones of trust on the same switch. With trust, are you referring to lists of trusted MACs, and is this port-based or IEEE 802.1Q VLAN? -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
signature.asc
Description: Digital signature
