CARP Network Allocation Problem
-
My setup is like this:
WAN: Two /24 networks 192.168.1.0 and 192.10.50.0 (On the same cable)
LAN: A /23 network 10.10.10.0
DMZ: Bridged with WANIn order for the 192.10.50.0 to work and route packets i allocated this network using a ProxyARP on 1 out of 2 pfsenses. (And it works, as it should)
I have set CARP adresses on both LAN and WAN, and although they sync settings, and CARP is working as it should, i can only access to DMZ and WAN when 1 out of 2 pfsenses are disconnected.
Each one works individually, but not together.So, i need to resolve 2 problems in order to get a full redudant firewall.
-
How can i solve the issue with the firewalls not working together?
-
I read this https://forum.pfsense.org/index.php?topic=45209.msg240929#msg240929 but i don't understand how i am supposed to set it up, and which IP i will set as CARP, since i cannot create a CARP network
-
-
Bridging is completely incompatible with pfSense CARP/HA. If you choose to go down that path it is incumbent upon you to make sure all of the necessary spanning-tree pieces are in the right place.
WAN: Two /24 networks 192.168.1.0 and 192.10.50.0 (On the same cable)
This is also asking for trouble. Seems it has found you.
-
Unfortunately, it is necessary for me to use bridge as the IPs of the devices i have on my DMZ need to match the WAN's IP.
So, bridge and CARP are not gonna work?Yes, also the situation with 2 networks on one cable cannot change.. :-[
-
It can work, but it's on you to prevent any loops. I am not going down that rabbit hole. Design your network properly.
-
Ok, i see.
Trust me, if i could, i would design it properly.
And how could i prevent loops?
Can you give me a link or something to read about it? -
I find it humorous that you would be concentrating on HA before fixing such a broken design. If it is worth high-availability it is worth a solid design first.
You prevent layer 2 loops using spanning-tree protocol
-
It is humorous, indeed.
But still, not in my powers to change this.
You wouldn't understand.
But thank you very much for your time.
I will try to see if HA can be achived, otherwise a cloned machine will be standing by, in case of a hardware failure. -
I understand perfectly.
It is those who are making you do this who don't understand.
-
It is those who are making you do this who don't understand.
Yep.
I guess i am not the only one.
