STP and network
-
Wish I could be more help with bridges on pfsense. But software bridges should be avoided at all costs if you ask me. While your use of it is very valid setup when under the restrictions of having to have a public range directly attached vs routed and wanting to put a firewall in between.
So while your use of transparent is valid, I would suggest if possible migrate away from it. If you had small amount of space like a /29 or even /28 nat with vip and then 1:1 would remove your issues of having to deal with port forwards.. Doesn't remove the issue if you have software licensed to some IP… What if you loose your public space? Do you actually own this /24 in arin or whatever RIR you might be in? If so you should be able to get your own ASN and just route it yourself to wherever you want via your ISP your using, etc.
I manage a /16 from arin.. So never run into these sorts of issues. We just advertise the space we need to use where ever, and be done with it ;) You just need to work with whatever ISP to accept and advertise out your routes, etc.
But if you just got said /24 from some DC network your located in - they really shouldn't have any issues with routing it to you vs directly attaching it to their equipment.
-
What if you loose your public space? Do you actually own this /24 in arin or whatever RIR you might be in?
I don't own it, just renting it as long as I need it. If I was to change ISP, it would be a bit difficult (lot of dns to change..), but not impossible. Can change the IP for the license from control-panels.
OK, I'll hope that my ISP comes with good news and if not, I'll just have to try and fail until it works ;)
-
I have two ports in my datacenter assigned with my current C-net/24-net (an Catalyst owned/administered by my ISP only). Both of the ports work, I currently only use one of them.
I have two pfSense and I consider doing CARP on them (instead of having just a cold-turned-off ready) and have one port to each of my fw.
Would I ask my ISP for a network of two IPs and then assign WAN-IP to each of the pfSense.. or do they need to route it to only one IP/device? I'm beginning to suspect that your suggestion - along with a carp setup - requires me to introduce one additional switch/router. Then I migth as well keep the cold-backup to avoid introducing (more) single-point of failture.
"You get a WAN interface of, say 198.51.100.32/30. Your default gateway is 198.51.100.33 and your interface is 198.51.100.34/30."
BTW: is this reccomendation just because how pfSense works with bridge or would you reccomend this setup no matter what type of firewall?
-
If you need more address on your wan transit network for a carp, then use a /29 vs /30.. Yes carp requires 3 IPs.. So /30 wouldn't work.
-
Doesn't carp communicate over a local IP only? So a dedicated cable on a port not part of LAN/WAN, just a dedicated cable with virtual 10.0.0.1/10.0.0.2 on each?
And then one public WAN-IP for each.
-
My ISP says this:
"This should be possible yes - the challenge is how to be able to route the current network, if you have two firewalls at 2 different WAN-addresses. Without major changes, I can only route /24-network to one address.
-
you could always split the /24 into 2 /25s and route 1 to each.. All comes down to how you want it. Or if you setup carp on your 2 firewalls then you would only be routing to 1 IP, the CARP address on your wan side.
I would have to go back and read the thread if you had laid out how you have your 2 firewalls setup and different networks behind them, etc.
-
"Or if you setup carp on your 2 firewalls then you would only be routing to 1 IP, the CARP address on your wan sid"
This is the prefered method, but I assumed it wasn't an option? If so, it is perfect!
Let's say that they assign a 5 public static IP-transport-network to me, where 80.80.80.81 is the main/assigned interface. The fw1 gets .82 and fw2 gets .83.
I create a local link between a free interface on both, with two static local IPs to maintain the carp… and I put .81 on the cluster.
Is it as simple as that? If so, it would be pefect, but I assume it is more to it ;)
-
Like the drawing attached. I'm using fake static IPs of course, but maybe it is more clear what I want to do?
The 4.4.4.0-network indicate the current /24 network I'm assigned today. I wouldn't need to change the servers from what I have today (I think)
The 8.8.8.0-network indicate the new small transport-network, that will be assigned both WAN and the cluster/CARP on WAN-side.
-
Nope its really that simple ;)
https://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)
I have not read thru that doc in awhile - so maybe its a bit dated, maybe something has changed in newer versions. But yeah its pretty simple to setup the carp..
This shows a nat network behind - but you could put your routed network behind there two.. You setup your stack switches and some laggs - and yeah buddy cooking with gas.. And remove all your SOPF issues.
-
I think it was the routed network that made me thing it wasn't possible.
What would my GW be on the inside on each machine, would it be the same as the cluster IP from the transport network like 8.8.8.1 in my drawing? Or can I create additional interface on the cluster (virtual IP or something) so that I can have the same gw as today? (4.4.4.1).
-
sure just use that IP of your routed segment as your carp on the "lan" side of pfsense.. Before you had this
PE (provider equipment) 4.4.4.1 –-- 4.4.4/24 ---- CE (pfsense - BRIDGE) ---- 4.4.4/24 ---- 4.4.4.X Server..
You end up with this
PE x.x.x.1 --- transit x.x.x/29 ---- x.x.x.2,.3,.4 CE (pfsense CARP) 4.4.4.1, .2, .3 ---- 4.4.4/24 ---- 4.4.4.x Server
Does that help?
-
Please read this for a short explanation of the basic elements of building a CARP/HA pair: https://forum.pfsense.org/index.php?topic=136085.msg744802#msg744802
-
1. Get the fw1 to listen on WAN for IP 8.8.8.2, fw2 to 8.8.8.3 and using my ISP provided gateway for the new transport network.
2. Create a LACP-team to create interface called LANTEAM (two ports - same on switch cluster), with LANTEAM-IP 4.4.4.1/24.
3. Log in and set "CARP Shared Virtual IP Addresses" of type "CARP" on interface "WAN" 8.8.8.1 (the main transport IP).
4. Add another "Virtual IP Addresses" of type "CARP", this time on interface LANTEAM to 4.4.4.1 (my current and new gateway).
5. DirectConnect a TP between the fw1/fw2 on local, private IP and setup sync under "HighAvail".Is it like that or do I miss something important? I also need to add fw-rules of course.
-
1. Get the fw1 to listen on WAN for IP 8.8.8.2, fw2 to 8.8.8.3 and using my ISP provided gateway for the new transport network.
3. Log in and set "CARP Shared Virtual IP Addresses" of type "CARP" on interface "WAN" 8.8.8.1 (the main transport IP).Looks good so far…
2. Create a LACP-team to create interface called LANTEAM (two ports - same on switch cluster), with LANTEAM-IP 4.4.4.1/24.
I don't know what an LACP-team is. You might mean an LACP LAG. Team is some microsoft aberration.
If you want to LACP to the inside switches you will need to LACP from BOTH pfSense nodes (4 total ports or more). The first would be interface address 4.4.4.2/24, the second would get interface address 4.4.4.3/24
4. Add another "Virtual IP Addresses" of type "CARP", this time on interface LANTEAM to 4.4.4.1 (my current and new gateway).
Right. Tell all your LAN clients to use the CARP VIP as the default gateway, DNS server (if so required) etc.
5. DirectConnect a TP between the fw1/fw2 on local, private IP and setup sync under "HighAvail".
No idea what a TP is. Many people use a direct patch cable for their sync interfaces. Some use a switch on a "blank" vlan. Both work.
Is it like that or do I miss something important? I also need to add fw-rules of course.
Yes. And you need to adjust Outbound NAT so it NATs to the CARP VIP not to the interface addresses (for networks that might require NAT, that is).
-
With "direct patch cable ", you mean crossed cable? So that only one wire changes position in the other end?
The first would be interface address 4.4.4.2/24, the second would get interface address 4.4.4.3/24
Thank you for clarifying that. In my instruction I wrote 4.4.4.1 for the LAN and that would be wrong/conflict, that's only for the CARP virtual IP since the gw needs to be present for all clients on LAN. Regarding 4 ports must be in LAG, I assume you mean that I haven't drawn the last LACP LAG in my drawing above (but I think I understand that concept now at least).
Yes. And you need to adjust Outbound NAT so it NATs to the CARP VIP not to the interface addresses (for networks that might require NAT, that is).
Here I need to follow up with a question, just to be sure.. I don't think I want NAT in my case, since the server already has the correct IP and port assigned to it (public static IP and the ports is what they are).
Do I need to do any NAT or port-forwarding/translation with this setup? My goal is to avoid both NAT and bridge and hopefully get a fw that acts similar to a transparent gw in the sense that I only need to add the public IP and ports in the firewall-rules for all incoming traffic. Most or all traffic coming from the LAN-side should pass though without problems and with their own server IP as outgoing IP. Please let me know if this is not the case :)
-
Let me know if this drawing is correct. The goal is to have redundancy against one failing switch and one failing pfSense fw (or one cable).
-
In that configuration you are trusting the ISP switch to properly-propagate the CARP traffic on the WAN interfaces which might or might not be the case.
Also, if the WAN link stays up and CARP continues to pass but there is not internet access there will be no failover. But there probably won't be any internet for the secondary either so… It is possible for a strange layer 2 issue that could cause that.
I would rather have a switch under my control connected to WAN and the ISP. Preferably another stack and preferably LACP as in my diagram.
Note that, if you are very careful, you can use a blank VLAN (blank meaning no layer 3 and no other ports configured on it) on the existing stack for the wan traffic. Many (including me) do not particularly like mixing inside and outside traffic on one switch but in practice it can be done safely.
-
"Many (including me) do not particularly like mixing inside and outside traffic on one switch but in practice it can be done safely."
This is very common practice in the enterprise for sure. But if budget, space, power constraints, etc I concur it can be done safely.. Just make sure you know what your doing with vlans and your fine.
-
Many (including me) do not particularly like mixing inside and outside traffic on one switch but in practice it can be done safely.
Do you mean the LAN-side of the configuration since I have public IP-space instead of doing NAT?
I have a seperate network behind this that is not connected to the common network at all (for IPMI, console, NAS, monitoring on dedicated switch and port etc). The traffic on the LAN is mostly https/https and all equipment has their firewalls, so hopefully it is safe enough. It is the setup I usually see when I rent space in other data centers as well. But probably not in an office where you just have a few VPN, AP and maybe no ports incoming. If I was to do NAT for all servers and its services using port-forwarding, we would talk thousands of rules in the fw and I doubt it would handle it very well - at least it would be messy compared to gathering the same type of servers/ports in common groups like "cPanel-serverports" :) Also, the license-validation done by cPanel, DirectAdmin etc. would need to match at all times, reverse.. etc. And the client would be given a private IP so that install of software works.. I see a lot of issues doing it any other way…
