Re: [pfSense] Question about failover setup
Op 20-6-2012 5:34, Jerome Alet schreef: Hi, On Tue, Jun 19, 2012 at 08:35:38AM +0200, Seth Mos wrote: Op 18-6-2012 23:26, Jerome Alet schreef: So now that I'm trying to replicate the OpenBSD configuration on my pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP addresses on each vlan and what are the consequences of using only one on the carp interface ? For pfSense you definitely need 3 addresses per vlan. Thanks for your answer. No, maybe a stupid question... Is it mandatory that all three addresses are in the same subnet, or is it possible to have the virtual one in a different subnet than the two real ones (still all three would be on the same vlan, but on different subnets) ? Mandatory, how would the pfSense firewall itself reach the internet for DNS and updates? It can't source everything from the CARP vip. Although theoretically the traffic going through the firewall should be unaffected. It's a crapshoot though that generally does not work too well. We hope that the CARP overhaul that is included in FreeBSD9 will help us in this case, but we can't guarantee that it will work this way either. Regards, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about failover setup
Op 18-6-2012 23:26, Jerome Alet schreef: Hi there, So now that I'm trying to replicate the OpenBSD configuration on my pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP addresses on each vlan and what are the consequences of using only one on the carp interface ? For pfSense you definitely need 3 addresses per vlan. You can not set it up without. Maybe the OpenBSD cluster used carpdev which FreeBSD does not have. Cheers, Seth ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Question about failover setup
Hi, On Tue, Jun 19, 2012 at 08:35:38AM +0200, Seth Mos wrote: Op 18-6-2012 23:26, Jerome Alet schreef: So now that I'm trying to replicate the OpenBSD configuration on my pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP addresses on each vlan and what are the consequences of using only one on the carp interface ? For pfSense you definitely need 3 addresses per vlan. Thanks for your answer. No, maybe a stupid question... Is it mandatory that all three addresses are in the same subnet, or is it possible to have the virtual one in a different subnet than the two real ones (still all three would be on the same vlan, but on different subnets) ? I'm asking this because on one of our interfaces we've got a dedicated link with a 30 bit subnet mask, leaving only two useable addresses : on on our side, the other on the other side of the link. We don't control the other side of the link unfortunately, so I'm really not sure yet if changing the subnet mask to allow more addresses will be doable (read authorized) or not... Thanks for any advice on this matter. bye -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
[pfSense] Question about failover setup
Hi there, We currently have two OpenBSD 4.1 boxes acting in failover mode to serve some of our firewalling needs. We are also using pfSense 2.0.1 and 1.2.2 for other firewalling needs. I'm planning to consolidate all these firewalls onto two pfSense 2.1 acting in failover mode, and finally shut down all these old boxes. We need to use 2.1 snapshots because our boxes are Dell PowerEdge R610 with the Perc H200 controller, unsupported in earlier releases. I didn't setup the two OpenBSD boxes, but I've noticed that for some vlans, their configuration doesn't seem to be complete wrt the following pfSense related documentation : http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) While for most vlans each of two OpenBSD boxes has a distinct IP address and they share a third distinct IP address as the virtual one (for the carp interface), on a few vlans only the carp interface is assigned an IP address : each box doesn't have a distinct IP address. According to the documentation mentionned above, this configuration is incorrect. However I can attest that it works, at least when the two OpenBSD boxes are both online. So now that I'm trying to replicate the OpenBSD configuration on my pfSense 2.1 boxes, I'm wondering if I really need 3 distinct IP addresses on each vlan and what are the consequences of using only one on the carp interface ? Thanks for your advice. bye -- Jérôme Alet - jerome.a...@univ-nc.nc - Direction du Système d'Information Université de la Nouvelle-Calédonie - BPR4 - 98851 NOUMEA CEDEX Tél : +687 290081 Fax : +687 254829 ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
