Newbie Q: PPPoE Managed by Router 1st, then pfSense

habscout

Here is my current home setup:

ADSL Modem –> OpenBSD Firewall (PPPoE client to request Public IP; NAT, DHCP, pf) --> network hub --> wireless hub --> Home PC's

I would like a redundant firewall environment (ie. 2 PC's to handle the firewall duties). I have two spare PC's, with sufficient cpu, memory, disks & nics (3 each).  My goal is to build the following, but I have concerns about the pfSense documentation mentioning that CARP only works on static public IP addresses; this implies that static private IP addresses will not work with CARP ?  As much as I'd like this to work, I don't want to go down this road if I can find out that it cannot be function the way I want it to.

ADSL Modem
|
|
v
Wireless Hub    (PPPoE client to request Public IP)
|                                    |
|–> FW1 (pfSense 1, NAT, DHCP, pf)  |--> FW2 (pfSense 2, NAT, DHCP, pf)
        |                                                  |
        |                                                  |
        v                                                  v
        (          network hub                            )
                          |
                          v
                      Home PC's

bards1888

CARP works with private addresses too. Did you see my 'solution' at the bottom of this thread;

http://forum.pfsense.org/index.php/topic,15393.msg81475.html#msg81475

I had to run the modem as a 'router' and have the PPPOE endpoint there. You won't be able to run it as a modem and have PPPOE running at the same time on each firewall. Well, that is not quite true….. my first attempt was exactly that, PPPOE running on each firewall and it worked in so far as each PPPOE session could establish the link to the ISP, but traffic would only flow over the link that was 'first' to connect. I remember in the 'early days' of xDSL that people were successfully running multiple PPPOE sessions. Obviously, some ISPs don't want users to do that now.

here is an ifconfig on my primary firewall;

em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:25:a5
inet 10.18.200.1 netmask 0xffffff00 broadcast 10.18.200.255
inet6 fe80::250:56ff:febe:25a5%em0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:11:dc
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:56ff:febe:11dc%em1 prefixlen 64 scopeid 0x2
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:5a:54
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::250:56ff:febe:5a54%em2 prefixlen 64 scopeid 0x3
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:2c:78
inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
inet6 fe80::250:56ff:febe:2c78%em3 prefixlen 64 scopeid 0x4
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
enc0: flags=0<> metric 0 mtu 1536
pflog0: flags=100 <promisc>metric 0 mtu 33204
pfsync0: flags=41 <up,running>metric 0 mtu 1460
pfsync: syncdev: em3 syncpeer: 224.0.0.240 maxupd: 128
carp0: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 10.18.200.99 netmask 0xffffff00
carp: MASTER vhid 1 advbase 1 advskew 0
carp1: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 192.168.2.99 netmask 0xffffff00
carp: MASTER vhid 2 advbase 1 advskew 0
carp2: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 192.168.1.99 netmask 0xffffff00
carp: MASTER vhid 3 advbase 1 advskew 0

secondary;

em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:74:e5
inet 10.18.200.2 netmask 0xffffff00 broadcast 10.18.200.255
inet6 fe80::250:56ff:febe:74e5%em0 prefixlen 64 scopeid 0x1
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:26:94
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:56ff:febe:2694%em1 prefixlen 64 scopeid 0x2
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:3d:87
inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
inet6 fe80::250:56ff:febe:3d87%em2 prefixlen 64 scopeid 0x3
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:50:e3
inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
inet6 fe80::250:56ff:febe:50e3%em3 prefixlen 64 scopeid 0x4
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500
lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
enc0: flags=0<> metric 0 mtu 1536
pflog0: flags=100 <promisc>metric 0 mtu 33204
pfsync0: flags=41 <up,running>metric 0 mtu 1460
pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
carp0: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 10.18.200.99 netmask 0xffffff00
carp: BACKUP vhid 1 advbase 1 advskew 100
carp1: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 192.168.2.99 netmask 0xffffff00
carp: BACKUP vhid 2 advbase 1 advskew 100
carp2: flags=49 <up,loopback,running>metric 0 mtu 1500
inet 192.168.1.99 netmask 0xffffff00
carp: BACKUP vhid 3 advbase 1 advskew 100

Notice the IP addresses are all private.</up,loopback,running></up,loopback,running></up,loopback,running></up,running></promisc></up,loopback,running,multicast></pointopoint,simplex,multicast,needsgiant></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></up,loopback,running></up,loopback,running></up,loopback,running></up,running></promisc></up,loopback,running,multicast></pointopoint,simplex,multicast,needsgiant></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast>