On 21/09/2011 13:41, Seth Mos wrote:
On 21-9-2011 13:26, David Burgess wrote:
On Wed, Sep 21, 2011 at 5:13 AM, David Brown<da...@westcontrol.com>
wrote:
I have two WAN connections. One is a symmetric link (10/10), the
other is
ADSL (8/1). I would like to set these up so that the symmetric link
is the
main link, with the ADSL as backup. But http traffic can be balanced
between them. Can I arrange that?
Yes.
See Routing, Gateway Groups. You can add multiple groups and different
fallback tiers.
OK.
On one of the WAN connections, I have several IP addresses (a /28
subnet).
Several services coming in on these IP addresses need to be NAT'ed to
different internal servers, depending on the port and the IP address
targeted. It is important that replies from the internal servers get
returned from the same IP as originally targeted. Will that work with
pfSense?
I believe virtual IPs (VIP) would take care of that in pfsense.
Use this together with the 1:1 NAT feature.
The 1:1 NAT is used to pass all ports from one WAN address to a LAN/DMZ
address, isn't it? That might be useful for some circumstances. All I
really need at the moment is things like FTP or HTTPS on two different
WAN IP addresses (on the same NIC) being passed on to ports on two
different internal servers, and it sounds like VIP's can do that.
I am seriously considering getting two pfSense boxes with CARP failover.
Does this require identical hardware on the two systems (or perhaps just
identical network card setups)?
I don't think this is a requirement for CARP.
This is not a requirement, however, if the master is gigabit make sure
the backup has gigabit too.
I hope that isn't essential - my current hardware has a 4-port 100MB
card and when I buy a new one, I'll probably get a 4-port GB card for it
and use it as the primary.
How much information is passed over the
link between the boxes - does it cover all setup, configuration,
rules, dhcp
leases, etc.? How often does this synchronisation take place?
Not sure.
It synchronizes state for traffic failover, the rest is toggle boxes on
the virtuall IP settings page. Leases are not transferred, static
mappings are, you can do DHCP on both nodes with failover, see the DHCP
settings page for that.
OK.
Am I correct
in thinking that each box needs its own individual IP address on each
network interface (including VLAN interfaces), and they share one or
more
CARP aliases?
I believe that's correct.
They need their own IP + the redundant carp IP, so atleast 3. You will
need to make manual outbound NAT rules so that all traffic originates
from the external CARP address after NAT. This is required for failover.
That should be fine.
Thanks,
David
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
