Redundant pfSense FW in between redundant L3 switches and Routers
-
Hi!
In the absence of a network engineer, I've been tasked with setting up firewalls and I'm starting to think I bit off a bit more than I can chew! Can anybody tell me if what I am attempting makes sense?
The setup I have:
-
Many FreeBSD servers, each with a single public IP address on a /25 assigned to two NICs (igb0 and igb1) using lagg failover.
-
For each server, igb0 goes to an "active" layer 2 top-of-rack switch, while igb1 goes to a "failover" switch.
-
All of the "active" layer 2 switches uplink to an "active" layer 3 switch, same for the "failover" switch which uplinks to a "failover" layer 3 switch.
-
Each layer 3 switch will have two uplinks: one to the "active" Firewall , and the other to the "failover" Firewall
-
The firewalls (already using two NICs to receive traffic from the L3 switches) have a third NIC going to the routers, then out to the internet
-
The firewalls are also linked directly to each other via a fourth NIC with a private IP assigned to it. The idea is that this will be used to measure 'heartbeat' between the two for failover, if this is possible.
The default gateway used by all of the servers is on the router on the far side of the firewalls. Does this setup sound feasible? Since the links that come from the layer 3 switches to each firewall have to be fault tolerant, I imagine some sort of VIP or bonding has to take place, making two NICs on the firewall use one public IP. But what about the NIC that has the link to the routers? I imagine I need to assign that NIC a second public IP. But how does traffic pass to that NIC? Do I need to set up a route or something? And if so, have I now unnecessarily created a new segment in my network?
I'm not a networking guru, so please pardon me if this is a less than intelligent question. Any help is appreciated. Thanks!
-
-
the best way to do this in my opinion is to configure one pfsense on each switch doing carp between them.
–------------------------------------------hosts
|
swith1 -----switch2---------------------------hosts
| |
pfsense1 pfsense2 (failover for pfsense1)
| |
|-------------|
sync interface with loopback cableTo connect pfsense to router, create an isolated vlan for pfsenses WAN and router ethernet
-
the best way to do this in my opinion is to configure one pfsense on each switch doing carp between them.
–------------------------------------------hosts
|
swith1 -----switch2---------------------------hosts
| |
pfsense1 pfsense2 (failover for pfsense1)
| |
|-------------|
sync interface with loopback cableTo connect pfsense to router, create an isolated vlan for pfsenses WAN and router ethernet
Can this be done even if all available IP addresses come from the same /25? I can obviously use private IPs for the sync interfaces, but otherwise, my only available IPs are from a /25 public. Also, without the firewall, all hosts use the router as their default gateway. With the pfsense in this setup, would the hosts then use the CARP IP address as their gateway?
-
If you have admin access to router, you can create a dummy networks between router and pfsense.
Then disable nat on pfsense and use all /25 network on lan.
You will need old gateway ip as the carp ip and other two for each pfsense.
-
If you have admin access to router, you can create a dummy networks between router and pfsense.
Then disable nat on pfsense and use all /25 network on lan.
You will need old gateway ip as the carp ip and other two for each pfsense.
I want to try this, but don't quite understand the last sentence. Let's say for example that my current setup (with no pfsense) uses the IPS in 1.2.3.0/25, with 1.2.3.1 as the gateway, with hosts at 1.2.3.10 and 1.2.3.11. How would I assign IP addresses and gateway once I add the pfsenses in? The CARP IP on the pfsesnse would now be 1.2.3.1, and the hosts use that as a gateway? And does this mean my BGP gateway upstream from the pfsesnses needs a new IP assigned to it? I'm a bit confused.
-
Another thing to mention… my setup is actually like this:
________________________________HostNIC1 (both NICs share IP 1.2.3.10 via Lagg in FreeBSD)
| ____________________HostNIC2
| |
L2Switch1 L2Switch2
| |
| |
L3Switch1 L3Switch2
| |
| |
pfsense1-------pfsense2
| |
| |
| |
BGP Gateway (1.2.3.1/25)
||
||Each rack full of hosts connect to Layer2 switches (active/failover), and these switches all uplink to the Layer3 switches. Two ports on each Layer3 switch uplink to the pfsense CARP interfaces.
-
It sounds like pfsense is in bridge mode filtering. If you want to use some other the methods being discussed, you might to have to change over to a NAT model. The servers having a private address and the pfsense will have the CARP address, so in a failover, you go down the redundant path.
If it is possible to bridge and CARP (only sync firewall settings), then it might be possible just to leave the bridge. Not entirely sure it will work though.
-
I want to try this, but don't quite understand the last sentence. Let's say for example that my current setup (with no pfsense) uses the IPS in 1.2.3.0/25, with 1.2.3.1 as the gateway, with hosts at 1.2.3.10 and 1.2.3.11. How would I assign IP addresses and gateway once I add the pfsenses in? The CARP IP on the pfsesnse would now be 1.2.3.1, and the hosts use that as a gateway? And does this mean my BGP gateway upstream from the pfsesnses needs a new IP assigned to it? I'm a bit confused.
My suggestion using your sample ip range without nat and without bridge.
________________________________HostNIC1 (both NICs share IP 1.2.3.10 via Lagg in FreeBSD)
| ____________________HostNIC2
| |
L2Switch1 L2Switch2
| |
| |
L3Switch1 L3Switch2
| |
| |
(1.2.3.2) (1.2.3.3) (virtual ip 1.2.3.1/25)
**pfsense1–-----------pfsense2 **
**(192.168.1.2) (192.168.1.3) (virutal ip 192.168.1.1) **
| |
| |
| |
BGP Gateway (192.168.1.4)
||
|| -
Unfortunately, I can't do it that way. All of the hosts have public IP addresses, as does the BGP gateway, from the same /25 block of addresses. I don't control the BGP gateway, so I couldn't change that if I wanted to. The fact that the virtual IPs on the front and back interfaces have to be public is what makes me use it as a bridge.