3. Pfsense HA Setup recommendation with Multiple Public IP Subnets

Pfsense HA Setup recommendation with Multiple Public IP Subnets

  • H

    Hello all,

    I am new user to pfsense, I have deployed and tested it in my environment and it works well. I have used it inline(bridge) mode with Snort. Now I am thinking of going full blown pfsense setup.

    Currently internal servers get public IP directly via switches and pfsense is only doing inspection and blocking in bridge mode.

    What I want is to move all my public IPs on pfsense and use 1:1 NATTING. At the same time I do want to deploy HA setup as well by adding another pfsense box.

    I have done some initial reading, while process seems easy with 2 different ISPs and 2 public subnets but in my case I have 5 different subnets from same ISP. Now from what I have understood in order to set it up I will need as many as 8 NICs to get it working since each CARP IP I define has to have its own WAN interface.

    Would it be possible if I define Multiple Virtual IPs for WAN on same WAN interface ? or what would be best way to use existing NICs with those many subnets.

    0_1538792516548_Network Diagram.jpg

    0
  • LAYER 8 Netgate

    I would ask the upstream ISP to keep one of those on the interface and route the rest of them to you on the CARP VIP address.

    To them, it should be changing something like this:

    interface GigabitEthernet0
 ip address 1.1.1.1 255.255.255.224
 ip address 2.2.2.1 255.255.255.224 secondary
 ip address 3.3.3.1 255.255.255.224 secondary
 ip address 4.4.4.1 255.255.255.248 secondary
 ip address 5.5.5.1 255.255.255.248 secondary

    To this:

    interface GigabitEthernet0
 ip address 1.1.1.1 255.255.255.224
!
ip route 2.2.2.0 255.255.255.224 1.1.1.2
ip route 3.3.3.0 255.255.255.224 1.1.1.2
ip route 4.4.4.0 255.255.255.248 1.1.1.2
ip route 5.5.5.0 255.255.255.248 1.1.1.2

    In that example you would make 1.1.1.2 the CARP VIP.

    I used the first /27 network as the interface network just because it was first. I would ask them to use one of the /29s there instead to give you the most flexibility with the most addresses.

    0
  • H

    Thank you for the direction. I will look into it. What about Gateway groups in this case ? Would I need to add those still ?

    0
  • LAYER 8 Netgate

    No. Your default gateway in that example would be 1.1.1.1.

    You could even put those other subnets on inside interfaces if you wanted, or route them to inside web servers for VirtualHosts, or whatever, and not 1:1 NAT at all.

    0
  • H

    Thank you thats very helpful. I will work with my ISP and see how it turns out. Great support as always :)

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy