Pfsense HA Setup recommendation with Multiple Public IP Subnets
I am new user to pfsense, I have deployed and tested it in my environment and it works well. I have used it inline(bridge) mode with Snort. Now I am thinking of going full blown pfsense setup.
Currently internal servers get public IP directly via switches and pfsense is only doing inspection and blocking in bridge mode.
What I want is to move all my public IPs on pfsense and use 1:1 NATTING. At the same time I do want to deploy HA setup as well by adding another pfsense box.
I have done some initial reading, while process seems easy with 2 different ISPs and 2 public subnets but in my case I have 5 different subnets from same ISP. Now from what I have understood in order to set it up I will need as many as 8 NICs to get it working since each CARP IP I define has to have its own WAN interface.
Would it be possible if I define Multiple Virtual IPs for WAN on same WAN interface ? or what would be best way to use existing NICs with those many subnets.
I would ask the upstream ISP to keep one of those on the interface and route the rest of them to you on the CARP VIP address.
To them, it should be changing something like this:
interface GigabitEthernet0 ip address 184.108.40.206 255.255.255.224 ip address 220.127.116.11 255.255.255.224 secondary ip address 18.104.22.168 255.255.255.224 secondary ip address 22.214.171.124 255.255.255.248 secondary ip address 126.96.36.199 255.255.255.248 secondary
interface GigabitEthernet0 ip address 188.8.131.52 255.255.255.224 ! ip route 184.108.40.206 255.255.255.224 220.127.116.11 ip route 18.104.22.168 255.255.255.224 22.214.171.124 ip route 126.96.36.199 255.255.255.248 188.8.131.52 ip route 184.108.40.206 255.255.255.248 220.127.116.11
In that example you would make 18.104.22.168 the CARP VIP.
I used the first /27 network as the interface network just because it was first. I would ask them to use one of the /29s there instead to give you the most flexibility with the most addresses.
Thank you for the direction. I will look into it. What about Gateway groups in this case ? Would I need to add those still ?
No. Your default gateway in that example would be 22.214.171.124.
You could even put those other subnets on inside interfaces if you wanted, or route them to inside web servers for VirtualHosts, or whatever, and not 1:1 NAT at all.
Thank you thats very helpful. I will work with my ISP and see how it turns out. Great support as always :)