Chris L wrote on Fri, Feb 27 2015 at 3:34 pm:
>> On Feb 27, 2015, at 12:37 PM, Steve Yates wrote:
>>
>> Chris L wrote on Fri, Feb 27 2015 at 12:10 pm:
>>
>>> Hopefully the provider can just route the additional subnet to your
>>> existing WAN IP. Then you don’t need to do anything with CARP/HA
>>> except make sure primary and secondary are both set up to deal with
>>> the routed traffic.
>>
>> Would that require three "LAN side" public IPs for the two firewalls out
>> of that second subnet also?
>
> It depends on what you want to do with them.
>
> If pfSense just routes them to another IP address, then no. You only need 3
> IPs
> when you have to create a pfSense interface with HA.
It's been a long weekend and I'm missing something that's probably
obvious...the scenario is: no NAT, multiple public IPs in use on the "LAN" side
from two different subnets, and pfSense acting as a firewall. Subnet 1 would
need a shared CARP IP and officially two others for WAN on both firewalls (but
see below) and the same thing duplicated on the LAN side. The servers on
subnet 1 would use the CARP LAN IP from subnet 1 as their gateway.
If subnet 2 is routed by the data center to subnet 1's CARP IP, then
the way I read the docs it will get to pfSense if I set up an Other virtual IP
type, correct? Does pfSense then need to use a public IP Alias from subnet 2
on its LAN side CARP interface to be the gateway for subnet 2? Or if I read
the IP Alias section a few more times, does it mean that it would still need
the three public IPs for three LAN side aliases (aliases on the two interfaces
plus a third alias for the CARP LAN interface).
I found this forum thread which points out that, as you suggested in
another message, using three public IPs on the WAN side (and hopefully the LAN
side) is apparently not required in v2.2.
https://forum.pfsense.org/index.php?topic=87546.0
However I found another post which says in part, "Without valid IPs on
both, the secondary will not be able to independently check for updates or
install packages. There would also be no way to directly manage the secondary
from a remote location. It couldn't do DNS resolution to a remote DNS server,
or even sync its clock to a remote time server."
https://forum.pfsense.org/index.php?topic=73584.msg404834#msg404834
...So those are good points. However does that mean only the second firewall
would need a WAN side public IP? (presumably the master would use the CARP WAN
IP for its communication, while it is online.). Regarding remote management,
my tentative plan was to VPN to the CARP IP so access the firewalls from the
LAN side.
--
Steve Yates
ITS, Inc.
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
