CARP or Other for 1 to 1 NAT
-
I am setting up a new failover pair of firewalls and will be using CARP for WAN and LAN IPs.
We will also be doing a lot of 1 to 1 NAT and I have 2 choices -
-
use a /26 for the WAN side and then create additional CARP VIPs and then do 1 to 1 NAT to internal LAN IPs (this is how a previous firewall has been setup)
-
use a /29 for the WAN side and then route a /26 to the CARP VIP and create Other VIPs out of the /26 subnet and then use those in the 1 to 1 NATs.
Further down the line we may need to add additional WAN subnets but these would have to be Other VIPs then as far as I understand it .
For the initial setup are there any specific pros/cons to either approach or any gotchas I should be aware of ?
Thanks for any pointers
-
-
So to answer my own question the only real difference I can see in practical terms is -
- /26 for WAN side and CARP VIPs ties you into using a /26 whether you end up using the IPs or not.
If you end up not using them then you are wasting IPs and to get them back (assuming you could depending on how many had been used) you would need to change subnet mask of WAN side and upstream devices etc.
- /29 for WAN and /26 routed to the CARP VIP gives a lot more flexibility ie. you can reserve a /26 but actually route a /28 to the CARP VIP and if you run out of IPs you can simply change the route entries on the upstream devices to use a different subnet mask.
You are still reserving the /26 but if it turns out the demand for IPs is not there then you can reuse for other purposes.
In the environment I work in where public IPs are scarce this is quite useful because it means you never overcommit on IP address allocation.