> On 2012-03-21 21:22, Adam Thompson wrote: > > Based on that very high-level summary: > > -assuming the /28 isn't a true routed /28, > > I would have to ask my ISP to get the answer? > > What is a true routed subnet? It means that every IP address in the > subnet is availabie in a switch in which you connect your ISP's > network cable or is it that you must use a firewall or router of > your own to address those IPs?
I knew you were going to ask that :-). By my definition, a routed subnet is one where you control a router that has (at least) two interfaces, the entire /28 is bound to one of them, and the other interface has an IP address that is *outside* the subnet. In other words, the ISP delegates the entire subnet to you, and tells you what (static) IP address they expect to reach you *through*. Delegations in this traditional style are becoming increasingly rare, because with advances in OSS software and hardware, it has become very easy for them to allocate you chunks of IP space directly (without needing a router). Also, the average consumer connecting to the internet actually *prefers* a bunch of IPs they can use directly without having to set up a router. When you *have* a router, however, it adds complications like 1:1 NAT. I haven't seen any ISP delegate anything smaller than a /24 for quite a few years now. It does make the ISP's routing more complex when they delegate (routing table size increases, and someone has to provision either static routes or BGP peering), so many avoid doing so at all. Based on my experience, there are now more ISPs than there are network engineers competent to manage delegation, so many ISPs simply don't have the expertise required to delegate anything correctly - and therefore they don't do it. > > -set pfSense's WAN IP to the first IP in the range (or reserve the > > first three if using CARP for HA) > > I already planned/reserved 3 IPs in all of my subnets, and with the > ISP. OK :-). Although it's not perfect, pfSense's HA is pretty impressive - and so easy that you may as well use it! > > -set all remaining IPs as CARP-type aliases, and implement inbound > > NAT a necessary (maybe including 1:1 for the FTP server) > > Ok, but are there drawbacks compared to an alias VIP? None that I've run into personally. The one I can think of is that you can't (or rather, shouldn't) run CARP on the same network (or VLAN, or...) as any Cisco HSRP devices because they use the same Ethertype value but aren't compatible. Or maybe that was VRRP, can't remember. Not likely to be an issue for very many people, in any case. -Adam Thompson [email protected] _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
