Eugen Leitl wrote:
On Thu, Mar 27, 2008 at 12:21:13PM -0400, Chris Buechler wrote:
The pfSense box (1.0-RC3 still) in front of the colo servers that host
the project's websites is a WRAP. It pushes around 2-8 Mb at around
10-25% utilization, we can push it up over 20 Mbps outbound.
Can you give a sketch of the configuration? I'm running a transparent
bridge, but would like to move to carp+pfsync cluster.
Do you use a private address space inside the network, and do it with VIPs?
Not much to it. It used to be a CARP setup (still is, all the public
IPs are CARP VIPs, but with only a master system), the secondary was
taken offline for a reason I don't recall quite some time ago and hasn't
been returned to the colo facility. It's still 1.0-RC3 because it works
as is. Though we will be replacing it with faster hardware running 1.2
soon, the only reason we're looking to upgrade is to increase VPN
capacity. A few of us have IPsec tunnels into the colo from our home
networks, and I push our backups over the VPN back to a server at my
house. Problem with that is it pegs the CPU on the WRAP at around 4-4.5
Mbps of IPsec, which slows down everything elset. We're upgrading to
something I can't peg with backups over VPN.
basic layout:
--- ISP Ethernet feed -- 5 port Linksys switch -- WRAP WAN -- WRAP LAN
-- Cisco Cat 2924 -- hosting servers
The public IPs are CARP IPs, the internal machines are on private IP
space. This is largely because we have more jails than we have public
IPs, not all of which need to be Internet-accessible. We 1:1 NAT all the
hosting jails other than things like MySQL that only need access from
other internal jails.
Ideally I'd rather not see anything NATed in a colo hosting environment,
but in our situation it's the best solution.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
