Hello, I have a redundant router/firewall with CARP and PF/PFSync with the following configuration (simplified for example):
on FW1 (MASTER):
ifconfig_em3="inet 1.2.208.89 netmask 255.255.255.224 -tso"
ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
on FW2 (BACKUP):
ifconfig_em3="inet 1.2.208.91 netmask 255.255.255.224 -tso"
ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
on both machines I have something like this in my /etc/pf.conf:
net_local="10.209.1.0/24"
net_prod="192.168.10.0/24"
if_wan="em3"
CARPvhid53="1.2.208.90"
nat on $if_wan from { $net_local, $net_prod } to any -> $CARPvhid53
it works great but I have a couple of questions:
- is it possible to use differents subnets for the "real" ips and the
CARP vip ? in other words: I only have three public IPs and I'd like
to reuse two of them. I wondered of something like this would work:
on FW1 (MASTER):
ifconfig_em3="inet 192.168.88.1 netmask 255.255.255.0 -tso"
ifconfig_em3_alias0="vhid 53 advskew 0 pass xx alias 1.2.208.90/32"
on FW2 (BACKUP):
ifconfig_em3="inet 192.168.88.2 netmask 255.255.255.0 -tso"
ifconfig_em3_alias0="vhid 53 advskew 100 pass xx alias 1.2.208.90/32"
(assuming that the switch is configured properly)
- as the state table is synced between FW1 and FW2, is it possible to
do some load-balancing on the outgoing address?
Thanks!
Julien
--
Julien Cigar
Belgian Biodiversity Platform (http://www.biodiversity.be)
PGP fingerprint: EEF9 F697 4B68 D275 7B11 6A25 B2BB 3710 A204 23C0
No trees were killed in the creation of this message.
However, many electrons were terribly inconvenienced.
signature.asc
Description: PGP signature
