I apologize in advance if this has already been covered.
I searched the mailing lists and didn't see any mention of
exactly this question.
So I have two redundant firewalls using CARP and NAT
with one public subnet on the external interface and one private
subnet on the internal interface. This is a fairly common setup
and is easy to accomplish with PF of course.
Now, my ISP has allocated a new, public subnet for me.
I'm wanting to add to my existing subnet on the external side.
I've seen only a handful of references to doing this on the
mailing list, and none are very detailed. Here is my current
setup in /etc/hostname.carp0 (names and passwords changed to
protect the innocent):
---
inet 1.1.1.194 255.255.255.224 1.1.1.223 vhid 1 carpdev bnx0 pass nopasswd
inet alias 1.1.1.195 255.255.255.255
inet alias 1.1.1.198 255.255.255.255
inet alias 1.1.1.199 255.255.255.255
inet alias 1.1.1.204 255.255.255.255
Clearly, I'm not hosting services on every available IP
in this subnet at the moment. But that's beside the point.
Also, I'm using a default gateway in /etc/mygate of:
---
1.1.1.193
Now, I want to allocate more addresses in this newly
allocated subnet. So I just use the new subnet and netmask.
But what about other addresses in that new subnet? Should I
designate them with 255.255.255.255 and the kernel will figure
out which subnet is which? Like such:
---
inet 1.1.1.194 255.255.255.224 1.1.1.223 vhid 1 carpdev bnx0 pass nopasswd
inet alias 1.1.1.195 255.255.255.255
inet alias 1.1.1.198 255.255.255.255
inet alias 1.1.1.199 255.255.255.255
inet alias 1.1.1.204 255.255.255.255
inet alias 2.2.2.66 255.255.255.192
inet alias 2.2.2.67 255.255.255.255
inet alias 2.2.2.68 255.255.255.255
inet alias 2.2.2.69 255.255.255.255
I also now have essentially two possible default
gateways. But since my ISP doesn't provide any sort of dynamic
routing, we're just going to assume the first subnet has the
default gateway, as specified above in /etc/mygate. But I still
need to get the second subnet setup to route to in general, so I
assume I want something like this in my hostname.carp0:
---
!route add -inet 2.2.2.64/26 2.2.2.65
Or do I also need a -host or -interface route setup too?
Now, assuming all of the above is in place as it should
be, will traffic ultimately be coming and going via the proper
IP addresses? I think I'm over analyzing this last part, but
bear with me a second. Since my default gateway is going to be
the 1.1.1.193 gateway, will traffic destined for addresses in my
2.2.2.64/26 come from the correct source address? I have lines
like this in my PF rules at the moment:
---
binat on bnx0 from 192.168.1.80 to any -> 1.1.1.195
rdr on bnx0 proto tcp from any to 1.1.1.195 port www -> 192.168.1.80
.
.
(further down...)
pass in on bnx0 proto tcp from any to 192.168.1.80 port www
So once I add this newly allocated subnet, I assume I
can simply put things like this:
---
binat on bnx0 from 192.168.1.50 to any -> 2.2.2.66
rdr on bnx0 proto tcp from any to 2.2.2.66 port www -> 192.168.1.50
.
.
(further down...)
pass in on bnx0 proto tcp from any to 192.168.1.50 port www
and not only will remote hosts on the public Internet be able to
access a web server running on this internal, private host but
they'll also see any connection attempts or responses from that
private internal host as coming from 2.2.2.66, correct?
The routing part is the most confusing part for me as it
seems to me like traffic will come in correctly from remote
hosts, but as soon as the firewall tries to send back out, it
will end up using the default gateway somehow and things will
get all mucked up. But like I said, maybe I'm just over
analyzing and it will all just work as it should!
Thanks for reading this far. I know that's a bunch of
information and I hope I made it all as clear as possible.
--
Mark Nipper e-contacts:
12345 Lamplight Vlg 818 [EMAIL PROTECTED]
Austin, Texas 78758-2564 http://nipsy.bitgnome.net/
(979)575-3193 AIM/Yahoo: texasnipsy ICQ: 66971617
---begin random quote of the moment---
There's madness in my methods.
-- random sig seen on /. by Tough Love (215404)
----end random quote of the moment----
