On Mon, Nov 9, 2009 at 7:17 AM, Eugen Leitl <eu...@leitl.org> wrote: > > I've built a 1.2.3RC3 box on beforementioned Supermicro > dual-core Atom box with an Intel dual-port server NIC > and a 2 GByte Transcend DoM (some 200 EUR the Supermicro > kit, 35 EUR memory, and 100 EUR the dual-port Intel > NIC, the DoM is some 20-30 EUR IIRC). > > All four NICs (onboard Realteks and Intel) are apparently > fully functional. > The box is reasonably quiet, and probably not underventilated > if it's not sandwiched between two other rackmounts (it > does have enough fan headers on the motherboard to rectify > that potential problem, though no fan mounts; hotglue would > probably do). > > I've assigned WAN and LAN to the Intel NIC, and will use > the Realteks for pfsync, redundancy and the like. > > Now the question, assuming I have a /24 network on WAN, what is > the optimal routing setup if I want to go carp+pfsync > eventually fully redundant? I'm currently running two > mini-ITX C3 boxes in a poor man's failover setup, both > as transparent bridges, with one disabled through STP > or other loop-detection feature. > > So what do I do with my /24? Private IP space behind > LAN, and 1:1 for every address? (That would be pretty > difficult to recover from should my firewall die, right > now every box has public IPs and can be fully routed > even though then directly exposed to the hostile > Internet). >
Lots of options there - they're discussed in depth in the book. I generally prefer getting a smaller WAN block and having the larger internal block routed to you, then you can use a combination of NAT and routed public IPs as needed, and easily add additional IP space in the future if needed. I don't like bridging in a serious colo environment, because of the complications possible with relying on STP, or hacks on the firewall. I would never setup the network with a design consideration that you can use it if the firewalls fail, that's why you have redundant firewalls. --------------------------------------------------------------------- To unsubscribe, e-mail: discussion-unsubscr...@pfsense.com For additional commands, e-mail: discussion-h...@pfsense.com Commercial support available - https://portal.pfsense.org