A simple question for a complicated setup
-
Although I have a fairly complicated setup I could go into, I feel like that will just make it more complicated, and it really comes down to a simple question.
In order to take advantage of the Stateful Firewall, is it required that the LAN interface be on the same layer2 as the destination? Or can you just static route through pfSense to the next Hop where Layer2 handoff is performed.
In my scenario there is no private LAN, everything is public, but we do want to protect from certain ports on the internet. We dont need NAT or any of the other features for these subnets. Just the stateful firewall. I worry that there are certain layer2 TCP connections that keep the TCP sessions open.
I was thinking it would be nice to use HSRP/VRRP on the WAN and the LAN, and static route to/from the single Carp address, as opposed to having hundreds of Carp addresses via Layer2. I realise that I would just be pushing that down to the next HOP, but in reality the pfSense is usually the weakest chain during a DDOS etc. This would also allow me to route around pfSense, or to a new instance of (easily)...
Thanks,
Hatter
-
That would also allow me to route different Public subnets through different CARP pairs. That would be amazing if I could route a subnet under a DDOS attack to a different pfSense stack (or something else).
-
Yes.
I recommend 3 interfaces. Make one a maintenance interface that you can access pfSense from.
Bridge the other two interfaces and use rules on them. Remember that rules apply to traffic heading into that interface.
There is probably some more I'm missing but that is the general gist.
-
@chpalmer I dont think you can use Bridged interfaces with Carp
-
@madhatterfounder Sorry missed the Carp part..
I do not know if that is true or not as I have never researched it.
-
I think the only reason to use bridged mode is when you dont have enough IP's to do static routing. For example at home, where the ISP only give you one IP. Otherwise bridged mode should be avoided. For a single device I think you need at least a /30, but if your running HA a /29.
(I could be wrong but thats how I came to understand it)
https://www.cisco.com/c/en/us/support/docs/dial-access/floating-static-route/118263-technote-nexthop-00.html
-
in my case my ISP routes several IP's to me through a Cable modem therefore 1 interface inbound.. When I did it I could take and put my firewall in place and let it filter traffic from my connection to my switch.
I did it this way many years ago so cannot remember specifics.. Setting up a quick bridge on my lab machine I do see things have changed slightly as the bridge itself no longer shows up in the firewall rules or as a separate interface as I remember it doing..
I moved all my servers to a host so do not have it in place anymore. (cheaper than the electric bill and less noise..)
-
I guess it is possible, I just found this
https://greigmitchell.co.uk/2019/08/configuring-intervlan-routing-with-a-layer-3-switch-and-pfsense/
-
I thought of a potential issue that would prevent me from deploying this solution in my current deployment model. In that article they didnt explain the upstream route, but It would have had to of been a different switching stack or the uplink was directly to the pfSense WAN interface.
With my current hardware (pair of OS10 VLT switches) you can only create VRF interfaces (independent routing tables) on management ports, and if that's the case it wouldnt be possible to route the destination subnet (the "LAN subnet") to the pfSense WAN because the "LAN" subnet would exist as a VRRP/HSRP interface via layer2. It doesn't even look at the layer 3 routing table if it has a layer2 link. This would require that I deploy either an upstream or downstream switching pair.
Dang...
-
Okay, I misunderstood the documentation. You can only add management interfaces to the management VRF, but you can have many non-management VRF's.
But still, having 2 separate routing tables is one thing, but I still dont think it would ignore a layer 2 link local address on a different VRF VLT/VRRP interface.
So now im researching that.
Thanks,
Dan
-
Okay, I figured out the VLT+ Peer routing is superior to VLT + VRRP.
https://abhishektechdecoder.wordpress.com/2017/03/16/vrrp-vs-dell-vlt-peer-routing/
To Summarize, you dont need to waste a (3rd) virtual IP with peer routing, because either switch can respond to either IP that you assign them. And it also Load Balances the links as opposed to failover. So there is no real convergence.