Moving from Filtered bridge to Routed setup



  • Alright, I'm trying to impliment CARP in our datacenter, but apparently filtered bridges don't play well with CARP, so I've got to figure out how to get our current setup into a routed mode.

    We currently have an ethernet drop that comes into our datacenter, and we have a Class C of addresses for it.  Current setup looks like this

    Enet Drop->ethernet switch->Pfsense->ethernet switch->servers

    We need our servers to continue to have public static IP's, and we're currently bridging the WAN w/ OPT1 as a filtered bridge to acheive that.

    What's the easiest way to migrate this to a routed setup so that we can start implimenting CARP?

    Our current configuration looks like this :

    <pfsense><version>2.3</version>
    <system><hostname>munged</hostname>
    <domain>munged</domain>
    <username>munged</username>
    <password>munged</password>
    <timezone>America/Chicago</timezone>
    <time-update-interval>300</time-update-interval>
    <timeservers>pool.ntp.org</timeservers>
    <webgui><protocol>http</protocol>
    <port><certificate><private-key></private-key></certificate></port></webgui>

    <optimization>aggressive</optimization>
    <maximumstates>100000</maximumstates>
    <dnsserver>216.51.232.114</dnsserver>
    <dnsserver>167.142.225.5</dnsserver></system>
    <interfaces><lan><if>rl0</if>
    <ipaddr>10.0.0.253</ipaddr>
    <subnet>24</subnet></lan>
    <wan><if>fxp1</if>
    <mtu><blockpriv><spoofmac><ipaddr>216.51.232.253</ipaddr>
    <subnet>24</subnet>
    <gateway></gateway></spoofmac></blockpriv></mtu></wan>
    <opt1><if>fxp0</if>
    <descr>OPT1</descr>
    <ipaddr><subnet>31</subnet>
    <bridge>wan</bridge>
    <enable></enable></ipaddr></opt1></interfaces>
    <staticroutes><pppoe><pptp><bigpond><dyndns><type>dyndns</type>
    <username><password></password></username></dyndns>
    <dhcpd><lan><range><from>10.0.0.0</from>
    <to>10.0.0.250</to></range>
    <defaultleasetime><maxleasetime></maxleasetime></defaultleasetime></lan></dhcpd>
    <pptpd><mode><redir><localip></localip></redir></mode></pptpd>
    <dnsmasq><snmpd><syslocation>munged</syslocation>
    <syscontact>munged</syscontact>
    <rocommunity>munged</rocommunity>
    <enable><modules><mibii><netgraph></netgraph></mibii></modules>
    <pollport>161</pollport>
    <trapserver><trapserverport><trapstring></trapstring></trapserverport></trapserver></enable></snmpd>
    <diag><ipv6nat></ipv6nat></diag>

    <syslog><nentries>50</nentries>
    <remoteserver>216.51.232.100</remoteserver></syslog>
    <nat><advancedoutbound></advancedoutbound></nat>
    <filter><rule><type>block</type>
    <interface>wan</interface>
    <protocol>tcp</protocol>
    <source>

    <address>67.15.184.0/24</address>

    <destination><any></any></destination>
    <log><descr>Blocking spider attacks against launching all sites</descr></log></rule>
    <rule><type>block</type>
    <interface>wan</interface>
    <protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>216.51.232.93</address>

    <port>1433-1434</port></destination>
    <descr>MSSQL Block for Backup server</descr></any></rule>
    <rule><type>block</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>

    <address>216.151.111.251</address>

    <destination><any><port>1433</port></any></destination>
    <descr>wierd computer trying to access MSSQL</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>block</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>

    <address>216.132.111.231</address>

    <destination><any><port>1433</port></any></destination>
    <descr>wierd computer trying to access MSSQL</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>block</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>

    <address>209.101.190.21</address>

    <destination><any></any></destination>
    <descr>wierd computer trying to access MSSQL (2)</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>80</port></destination>
    <descr>HTTP passthrough</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>25</port></destination>
    <descr>SMTP</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>icmp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address></destination>
    <descr>ICMP</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>5631</port></destination>
    <descr>PCAnyWhere</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>udp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>5632</port></destination>
    <descr>PCAnyWhere</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>110</port></destination>
    <descr>POP3</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>443</port></destination>
    <descr>HTTPS</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>21</port></destination>
    <descr>FTP</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>2000-2010</port></destination>
    <descr>FTP Passive Mode</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>53</port></destination>
    <descr>DNS</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>1433-1434</port></destination>
    <descr>MSSQL</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>216.51.232.1/24</address>

    <port>3306</port></destination>
    <descr>MySQL</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <source>

    <address>216.51.232.114</address>

    <destination><address>216.51.232.1/24</address></destination>
    <descr>WS114 allow</descr></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>216.51.232.252</address>

    <port>6277</port></destination>
    <descr>DCC filter</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp/udp</protocol>
    <source>
    <any><destination><address>216.51.232.1</address>

    <port>8090</port></destination>
    <descr>WhatsUpGold</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp/udp</protocol>
    <source>

    <address>216.51.206.209</address>

    <destination><address>216.51.232.1/24</address>

    <port>22</port></destination>
    <descr>ssh passthrough for flash's home connection</descr></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp/udp</protocol>
    <source>

    <address>216.51.206.209</address>

    <destination><address>216.51.232.1/24</address></destination>
    <descr>total passthrough for flash's home connection</descr></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <protocol>tcp/udp</protocol>
    <source>

    <address>12.206.23.57</address>

    <destination><address>216.51.232.1/24</address>

    <port>22</port></destination>
    <descr>ssh passthrough for Shiloh's home connection</descr></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <source>

    <address>216.51.206.213</address>

    <destination><address>216.51.232.1/24</address></destination>
    <descr>passthrough for flash's home connection</descr></rule>
    <rule><type>block</type>
    <interface>wan</interface>
    <source>
    <any><destination><address>216.51.232.49</address></destination>
    <descr>Block rule for Ethernet Switches</descr></any></rule>
    <rule><type>block</type>
    <interface>wan</interface>
    <source>
    <any><destination><address>216.51.232.48</address></destination>
    <descr>Block rule for Ethernet Switches</descr></any></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>

    <address>216.51.232.5</address>

    <destination><any></any></destination>
    <descr>SNMP allow</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>

    <address>216.51.209.208/30</address>

    <destination><any></any></destination>
    <descr>flash allow</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <protocol>tcp/udp</protocol>
    <source>
    <any><destination><any></any></destination>
    <descr>server-side outbound</descr></any></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <protocol>icmp</protocol>
    <source>
    <any><destination><any></any></destination>
    <descr>server-side outbound ICMP</descr></any></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <source>
    <any><destination><any></any></destination>
    <descr>Default LAN -> any</descr></any></rule></filter>
    <ipsec><aliases><proxyarp><wol><lastchange>1153352733</lastchange>
    <revision><description>/firewall_rules_edit.php made unknown change</description>
    <time>1156351654</time></revision>
    <theme>metallic</theme></wol></proxyarp></aliases></ipsec></dnsmasq></bigpond></pptp></pppoe></staticroutes></pfsense>





  • Moving into IRC land, thanks for all the help :)


Locked