| Date: Fri, 13 May 2011 16:14:16 -0400 | From: Jim Pingle <[email protected]> | | > In my case using the other gateway as a default route is of | > no use, and even if the primary was not happy. I don't see | > a way in the "Edit gateway" page to disable the upstream | > check, though I suspect I could put a local interface in | > the Alternative Monitor IP field. | | That is currently the expected behavior, but there is an open ticket to | fix that so it's optional. | | http://redmine.pfsense.org/issues/1520
Thanks, Jim, for the info. Just to reinforce the assertion in that ticket, here's my anecdotal situation: - I have two sets of servers, in two colocation datacentres - the datacentre provider provides a cheap flat-rate cross-connect between the two locations, for replication and backups - the cross-connect is a restricted route with public IPs across the provider's network So in each location, I have a default route out to the world, but need a restricted route across the cross-connect (where I would like to run a VPN connection to allow me to route the internal networks). If I understand correctly, and pfsense is willing to choose any defined gateway as the default, then I don't see how I can properly use pfsense for these networks (I would likely have to have a server to server VPN or something), which would be a disappointment. The other challenge for me here - I have a redundant pair of pfsense firewalls, but the cross-connect network is provided to me as one end of a /30 network, with one usable IP. I want to use a CARP interface for firewall failover for the cross-connect, but the CARP addresses want to match a real address on the same interface i.e. each firewall would need a dedicated address on the /30 and then the CARP address on top. And I don't have enough addresses to go around. (It might be possible, but ugly, to tell pfsense I have a /29, but that would likely come back and bite me when I least expect it.) This may be a limitation of the underlying CARP implementation, and not something pfsense can implement. Hope these comments are useful. Thanks for everyone's hard work and great results! Cheers! John --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
