HA / CARP / VIP
-
Hi!
I have pretty much gathered all the informations I need to set up HA pfSense.
My ISP is ready to give me a public /29 that I am going to use on my OPT1 interface,
for the WAN part, I know I need 3 IPs from the same subnet in order to achive HA, I just dont want to sound stupid
when I will talk to the tech guy at my ISP, in order to avoid paying for two public /29, It is possible to use a Private /29 from my ISP within the 172.16.0.0 for the WAN and that the public /29 be routed throught the Private subnet ?Thank you.
-
@Bronislaw said in HA / CARP / VIP:
It is possible to use a Private /29 from my ISP
I know of no ISP that would you let use private addresses on WAN in their network. Even if they use private networks (of course) in their infrastructure, customers normally never get that exposed on their end-devices. Would it technically be possible? Sure I guess. You can setup CARP with a /29 subnet of any kind, private or otherwise (or it wouldn't work on your LAN side). But getting a public /29 routed to a CARP VIP configured on WAN between you and your ISP? That would be new but if your ISP is game, why not :)
-
Thank you for the Reply.
What would be the requirement then in order to achive HA with 2 pfSense and this public /29 on an Interface
which would give me 6 usable ips if I understood correctly.ISP -->public_ip--->[my router supplied by the isp] ---[private subnet for my 3 ips] ---[2 x pfsense].....then the public/29 assigned to an interface so the 6 computers behind this interface get public ip. ?
-
If you want a /29 for you to route/assign the public IPs to devices behind your HA cluster you would:
- assuming private transit network with your ISP
- transit network: 10.20.30.248/29 (example)
- transit gateway (ISP router): 10.20.30.249
- setup your node1/node2 pfsenses with 10.20.30.251/252
- setup HA
- setup CARP style VIP on WAN with 10.20.30.254/29
- talk to your ISP so public IP subnet a.b.c.d/29 would be routed to 10.20.30.254
Afterwards check if a
pingfor a.b.c.d or a.b.c.e ... (IPs within the public /29) arrive at your master node (node1) correctly e.g. it should show ICMP/echo requests on WAN in the firewall logs as block (as long as you don't allow ICMP on WAN of course). If that works as expected you can then either route that /29 subnet to a router/L3 switch behind your pfSense cluster or you can create a new network/VLAN on the pfsense cluster.In the latter case you only have 3 IPs left to use for devices as you again would need 3 IPs for your pfSense cluster so you could hand out the other 3 to devices that would need direct access and public IPs.
The other possibility is to use a private network with a bigger mask on pfSense (or further behind) and do port forwarding or 1:1 NAT for those 6(8) addresses of the public /29 that you got. -
Hi JeGr
Thank you for you explanation.
I've talked to my provider and they can supply me with a transit network and route a /29 through it.
Though their /29 is more expensive than renting a /24 from a provider. My concern is if they will
be willing to announce this /24, if they have to or they can refuse? the price they will charge for it
I will clarify it tomorrow.
