NAT with CARP



  • Hi

    my config now:
                                                                                                                       |
                                                                                                                       | DMZ
                                                                                                             _____ 0
                                       NAT               192.168.250.0/24                       |         |                        172.16.52.0/21
    www–--------------------|Cisco3620|---------------------o-------------------C-----|fw1|----------------------------o---------
                      fix pub IP              .250                           |           .2           |                .55.248                       |
                                                                                  |                         |____                                           |
                                                                                  |                                  |                                         |
                                                                                  L--------------------------|fw2|--------------------------
                                                                                                                .3        .55.249
                                                                                        Virtual IP(CARP)  .1        .55.250

    No, i'm not a painter :-)

    I just would like to switch the NAT service from the Cisco Router to the PF's, let the Cisco run as ADSL Bridge and let the PF's do PPPoE, that i can map some Ports in the DMZ.

    Is there an chance to do that with just 1 public IP ??....  i see no way, because FW1, 2 and the VIP's should be public in this case.

    Is there another chance to map some ports in the DMZ?



  • I have to admit that I don't completely understand your ASCII Artwork but dDepending on how your public IPs are set up you can do this with simple routing. Let the pfSense do the PPPoE Dialin with the cisco in bridge mode. then give your pfSense DMZ Interface one of your public IPs and the other public IPs to your DMZ Hosts with the pfSense public IP as gateway (this will only work if the WAN IP you get assigned is different from your other public subnet).



  • Hi HOBA

    that's the problem, i only have 1 Public IP Address, and 2 PF's as CARP cluster.
    or can i set my one IP as Virtual IP (WAN-CARP) ?



  • I'm starting to understand what you are trying to do. CARP won't work with PPPoE connections so it's not possible.



  • OK, then this plan will not work…...

    Then i leave NAT and PPPoE on the Cisco....

    can i use "double NAT". On the Cisco and on the PF's ?

    Then i can map ports trough 2 NAT Routers



  • Yeah, the easiest thing probably is to set the CARP VIP of your pfSense cluster as DMZ in the cisco and just double NAT the connections. Then you can control everything at the pfSense.



  • Great !! THX 4 help

    will continue on the german forum ;-)

    cheers


Log in to reply