CARP / DMZ

falcon · Jan 7, 2007, 9:50 PM

Hello

Im thinking of useing pfsence however im not entirly sure how I should set it up.

I would like to use carp for fall over however im not sure with our setup that its possible

Heres what we have now.

WAN
DMZ
LAN1
LAN2

The DMZ is bridged to the wan interface and each server has multiple live ip addresses assigned to them. My understanding is that CARP doesn't work with interfaces are bridged and I would have to use 1:1 nat. Im not sure if nat would be suitable for us. we need to assign live ip addresses to the servers for ssl certs and other stuff. It sounds like a lot of un nessesary work setting up 30 odd ips manually and it may have adverse effects to ssl certs which need to be assinged to a diferent up address on the server for each cert.

Am I going down the right path or am I confusing myself ? :)

Any help you can give me would be greatly apreshiated

hoba · Jan 7, 2007, 10:07 PM

This is correct. CARP won't work on bridges.

falcon · Jan 8, 2007, 12:44 AM

whats the way around that ?

would it just simply be

if destination is in this range and from WAN forward out DMZ interface
and back out again
If destination is from DMZ servers range to the net forward out WAN interface ?

That way you wouldnt need NAT or Bridging ?