Newbie Q: PPPoE Managed by Router 1st, then pfSense



  • Here is my current home setup:

    ADSL Modem –> OpenBSD Firewall (PPPoE client to request Public IP; NAT, DHCP, pf) --> network hub --> wireless hub --> Home PC's

    I would like a redundant firewall environment (ie. 2 PC's to handle the firewall duties). I have two spare PC's, with sufficient cpu, memory, disks & nics (3 each).  My goal is to build the following, but I have concerns about the pfSense documentation mentioning that CARP only works on static public IP addresses; this implies that static private IP addresses will not work with CARP ?  As much as I'd like this to work, I don't want to go down this road if I can find out that it cannot be function the way I want it to.

    ADSL Modem
    |
    |
    v
    Wireless Hub    (PPPoE client to request Public IP)
    |                                    |
    |–> FW1 (pfSense 1, NAT, DHCP, pf)  |--> FW2 (pfSense 2, NAT, DHCP, pf)
            |                                                  |
            |                                                  |
            v                                                  v
            (          network hub                            )
                              |
                              v
                          Home PC's



  • CARP works with private addresses too. Did you see my 'solution' at the bottom of this thread;

    http://forum.pfsense.org/index.php/topic,15393.msg81475.html#msg81475

    I had to run the modem as a 'router' and have the PPPOE endpoint there. You won't be able to run it as a modem and have PPPOE running at the same time on each firewall. Well, that is not quite true….. my first attempt was exactly that, PPPOE running on each firewall and it worked in so far as each PPPOE session could establish the link to the ISP, but traffic would only flow over the link that was 'first' to connect. I remember in the 'early days' of xDSL that people were successfully running multiple PPPOE sessions. Obviously, some ISPs don't want users to do that now.

    here is an ifconfig on my primary firewall;

    em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:25:a5
    inet 10.18.200.1 netmask 0xffffff00 broadcast 10.18.200.255
    inet6 fe80::250:56ff:febe:25a5%em0 prefixlen 64 scopeid 0x1
    media: Ethernet autoselect (1000baseTX <full-duplex>)
    status: active
    em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:11:dc
    inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
    inet6 fe80::250:56ff:febe:11dc%em1 prefixlen 64 scopeid 0x2
    media: Ethernet autoselect (1000baseTX <full-duplex>)
    status: active
    em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:5a:54
    inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
    inet6 fe80::250:56ff:febe:5a54%em2 prefixlen 64 scopeid 0x3
    media: Ethernet autoselect (1000baseTX <full-duplex>)
    status: active
    em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:2c:78
    inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
    inet6 fe80::250:56ff:febe:2c78%em3 prefixlen 64 scopeid 0x4
    media: Ethernet autoselect (1000baseTX <full-duplex>)
    status: active
    plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
    enc0: flags=0<> metric 0 mtu 1536
    pflog0: flags=100 <promisc>metric 0 mtu 33204
    pfsync0: flags=41 <up,running>metric 0 mtu 1460
    pfsync: syncdev: em3 syncpeer: 224.0.0.240 maxupd: 128
    carp0: flags=49 <up,loopback,running>metric 0 mtu 1500
    inet 10.18.200.99 netmask 0xffffff00
    carp: MASTER vhid 1 advbase 1 advskew 0
    carp1: flags=49 <up,loopback,running>metric 0 mtu 1500
    inet 192.168.2.99 netmask 0xffffff00
    carp: MASTER vhid 2 advbase 1 advskew 0
    carp2: flags=49 <up,loopback,running>metric 0 mtu 1500
    inet 192.168.1.99 netmask 0xffffff00
    carp: MASTER vhid 3 advbase 1 advskew 0

    secondary;

    em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:74:e5
    inet 10.18.200.2 netmask 0xffffff00 broadcast 10.18.200.255
    inet6 fe80::250:56ff:febe:74e5%em0 prefixlen 64 scopeid 0x1
    media: Ethernet autoselect (1000baseTX <full-duplex>)
    status: active
    em1: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:26:94
    inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
    inet6 fe80::250:56ff:febe:2694%em1 prefixlen 64 scopeid 0x2
    media: Ethernet autoselect (1000baseTX <full-duplex>)
    status: active
    em2: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
    options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:3d:87
    inet 192.168.2.2 netmask 0xffffff00 broadcast 192.168.2.255
    inet6 fe80::250:56ff:febe:3d87%em2 prefixlen 64 scopeid 0x3
    media: Ethernet autoselect (1000baseTX <full-duplex>)
    status: active
    em3: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500
    options=9b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum>ether 00:50:56:be:50:e3
    inet 10.10.10.2 netmask 0xffffff00 broadcast 10.10.10.255
    inet6 fe80::250:56ff:febe:50e3%em3 prefixlen 64 scopeid 0x4
    media: Ethernet autoselect (1000baseTX <full-duplex>)
    status: active
    plip0: flags=108810 <pointopoint,simplex,multicast,needsgiant>metric 0 mtu 1500
    lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384
    inet 127.0.0.1 netmask 0xff000000
    inet6 ::1 prefixlen 128
    inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
    enc0: flags=0<> metric 0 mtu 1536
    pflog0: flags=100 <promisc>metric 0 mtu 33204
    pfsync0: flags=41 <up,running>metric 0 mtu 1460
    pfsync: syncdev: lo0 syncpeer: 224.0.0.240 maxupd: 128
    carp0: flags=49 <up,loopback,running>metric 0 mtu 1500
    inet 10.18.200.99 netmask 0xffffff00
    carp: BACKUP vhid 1 advbase 1 advskew 100
    carp1: flags=49 <up,loopback,running>metric 0 mtu 1500
    inet 192.168.2.99 netmask 0xffffff00
    carp: BACKUP vhid 2 advbase 1 advskew 100
    carp2: flags=49 <up,loopback,running>metric 0 mtu 1500
    inet 192.168.1.99 netmask 0xffffff00
    carp: BACKUP vhid 3 advbase 1 advskew 100

    Notice the IP addresses are all private.</up,loopback,running></up,loopback,running></up,loopback,running></up,running></promisc></up,loopback,running,multicast></pointopoint,simplex,multicast,needsgiant></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></up,loopback,running></up,loopback,running></up,loopback,running></up,running></promisc></up,loopback,running,multicast></pointopoint,simplex,multicast,needsgiant></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast></full-duplex></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum></up,broadcast,running,promisc,simplex,multicast>


Locked