Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Is this even possible?

    Scheduled Pinned Locked Moved General pfSense Questions
    5 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cr_hyland
      last edited by

      I have a question that involves routing, multi lan, bridging and Carp so i decided to stick it in the general section. (Admins, feel free to move it to whatever you feel is the relevant section).

      Basically what i'm tying to achieve is the following:

      I currently have 2 fully routed pfSense VMs with Carp. I have a small /29 subnet of public IPs for Carp and a larger /24 subnet of public IPs for web / cloud servers assigned to my LAN interface. No NAT used anywhere, everything is routed and CARP VIP is used everywhere on the LAN as the gateway to offer firewall redundancy to all servers on the LAN. So far all works perfectly.

      What I now want to do is split the Cloud servers from the rest of the servers on my Lan for security reasons. They need to retain the same /24 ip range and gateway as the current LAN. I created a Vlan, assigned a separate interface to the Vlan in pfSense and called it Cloud. All my Cloud servers will connect through this Cloud interface. I then bridged LAN and Cloud together assuming that thus would just work. It didn't. None of the cloud servers can access the internet, or even ping the LAN gateway VIP.

      So is this even possible or am I going about it completely wrong?

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        That should work, but you probably have a configuration or a firewall rule problem.

        1 Reply Last reply Reply Quote 0
        • C
          cr_hyland
          last edited by

          I have checked, double checked and triple checked the rules but no luck.

          I think what may be happening is this:
          I have LAN on firewall 1 and LAN on firewall 2 plugged in to the LAN switch.
          Then I have Cloud on firewall 1 and Cloud on firewall 2 plugged in to the LAN switch on Vlan2 but LAN and Cloud is bridged on each firewall creating a layer 2 loop so the switch shuts down the ports.

          Am I on the right track here?

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            I see what you are saying. Yeah, that could cuase somewhat of a problem. You will have to look, but I saw someone who setup an STP so that one bridge was inactive on the slave FW and when the failover happened, it would activate.
            Otherwise, a new setup of public IPs for the cloud and keep it a simple routed solution.

            1 Reply Last reply Reply Quote 0
            • C
              cr_hyland
              last edited by

              I investigated the STP option in the past when initially setting up a second FW with Carp but it was a disaster. I ended up having to get a second IP range and go fully routed.

              So is there any other way of me trying to achieve firewalling one IP range across two interfaces with Carp?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.