Using Virtual IP to move servers
-
I have a situation where I need to relocate several servers from on-premises to a datacenter in another location. Problem is: all of the devices on-premises that communicate with the servers are hard-coded with the server IP and the devices can not be (reasonably) updated.
Can I use a Virtual IP on pfSense on-premises to NAT to the servers new IP in the datacenter over an IPsec tunnel?
For example:
Server original IP on-premises: LAN 10.0.0.0/24 Server: 10.0.0.100 GW: 10.0.0.1
pfSense on-premises: 10.0.0.1, Virtual IP: 10.0.0.100
Server current IP in Datacenter: LAN: 192.168.1.0/24 Server: 192.168.1.100 GW: 192.168.1.1
pfSense in datacenter: 192.168.1.1Do I create the NAT on-premises or in the datacenter? My thought is to create regular NAT in the datacenter 10.0.0.100 > 192.168.1.100. Will this work?
THX,
-J -
Yes, but your NAT has to be on-premises. You can't have the same subnet at both ends of the IPSec tunnel.
Also I hope 192.168.1.0/24 is just for an example here. You should really avoid using that in a data center, it's almost certain to conflict with some remote network at some point.
Steve
-
@stephenw10 Yes, only examples.
So, I am thinking Virtual IP Proxy ARP. Except the Remote network -
You probably could use ProxyARP but I would just use IPAlias unless you have a reason not to.
-
@stephenw10 THX for the responses, very helpful!
I am having trouble visualizing how an IP Alias would work?
I need a device (let's say: 10.0.0.101) to "think" it is communicating with a server on the same LAN at 10.0.0.100, where in point of fact that server has been relocated to a datacenter on the other side of an IPsec VPN and the server is now 192.168.1.101 (example only).
-
Right so add an IPAlias at 10.0.0.100 on the pfSense LAN in that subnet.
Then add a port forward (or 1:1 NAT rule) for 10.0.0.100 to the new IP on the other side of the tunnel.
Steve