Moving from Filtered bridge to Routed setup
-
Alright, I'm trying to impliment CARP in our datacenter, but apparently filtered bridges don't play well with CARP, so I've got to figure out how to get our current setup into a routed mode.
We currently have an ethernet drop that comes into our datacenter, and we have a Class C of addresses for it. Current setup looks like this
Enet Drop->ethernet switch->Pfsense->ethernet switch->servers
We need our servers to continue to have public static IP's, and we're currently bridging the WAN w/ OPT1 as a filtered bridge to acheive that.
What's the easiest way to migrate this to a routed setup so that we can start implimenting CARP?
Our current configuration looks like this :
<pfsense><version>2.3</version>
<system><hostname>munged</hostname>
<domain>munged</domain>
<username>munged</username>
<password>munged</password>
<timezone>America/Chicago</timezone>
<time-update-interval>300</time-update-interval>
<timeservers>pool.ntp.org</timeservers>
<webgui><protocol>http</protocol>
<port><certificate><private-key></private-key></certificate></port></webgui><optimization>aggressive</optimization>
<maximumstates>100000</maximumstates>
<dnsserver>216.51.232.114</dnsserver>
<dnsserver>167.142.225.5</dnsserver></system>
<interfaces><lan><if>rl0</if>
<ipaddr>10.0.0.253</ipaddr>
<subnet>24</subnet></lan>
<wan><if>fxp1</if>
<mtu><blockpriv><spoofmac><ipaddr>216.51.232.253</ipaddr>
<subnet>24</subnet>
<gateway></gateway></spoofmac></blockpriv></mtu></wan>
<opt1><if>fxp0</if>
<descr>OPT1</descr>
<ipaddr><subnet>31</subnet>
<bridge>wan</bridge>
<enable></enable></ipaddr></opt1></interfaces>
<staticroutes><pppoe><pptp><bigpond><dyndns><type>dyndns</type>
<username><password></password></username></dyndns>
<dhcpd><lan><range><from>10.0.0.0</from>
<to>10.0.0.250</to></range>
<defaultleasetime><maxleasetime></maxleasetime></defaultleasetime></lan></dhcpd>
<pptpd><mode><redir><localip></localip></redir></mode></pptpd>
<dnsmasq><snmpd><syslocation>munged</syslocation>
<syscontact>munged</syscontact>
<rocommunity>munged</rocommunity>
<enable><modules><mibii><netgraph></netgraph></mibii></modules>
<pollport>161</pollport>
<trapserver><trapserverport><trapstring></trapstring></trapserverport></trapserver></enable></snmpd>
<diag><ipv6nat></ipv6nat></diag><syslog><nentries>50</nentries>
<remoteserver>216.51.232.100</remoteserver></syslog>
<nat><advancedoutbound></advancedoutbound></nat>
<filter><rule><type>block</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source><address>67.15.184.0/24</address>
<destination><any></any></destination>
<log><descr>Blocking spider attacks against launching all sites</descr></log></rule>
<rule><type>block</type>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source>
<any><destination><address>216.51.232.93</address><port>1433-1434</port></destination>
<descr>MSSQL Block for Backup server</descr></any></rule>
<rule><type>block</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source><address>216.151.111.251</address>
<destination><any><port>1433</port></any></destination>
<descr>wierd computer trying to access MSSQL</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>block</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source><address>216.132.111.231</address>
<destination><any><port>1433</port></any></destination>
<descr>wierd computer trying to access MSSQL</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>block</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source><address>209.101.190.21</address>
<destination><any></any></destination>
<descr>wierd computer trying to access MSSQL (2)</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>80</port></destination>
<descr>HTTP passthrough</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>25</port></destination>
<descr>SMTP</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>icmp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address></destination>
<descr>ICMP</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>5631</port></destination>
<descr>PCAnyWhere</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>udp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>5632</port></destination>
<descr>PCAnyWhere</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>110</port></destination>
<descr>POP3</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>443</port></destination>
<descr>HTTPS</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>21</port></destination>
<descr>FTP</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>2000-2010</port></destination>
<descr>FTP Passive Mode</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>53</port></destination>
<descr>DNS</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>1433-1434</port></destination>
<descr>MSSQL</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source>
<any><destination><address>216.51.232.1/24</address><port>3306</port></destination>
<descr>MySQL</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<source><address>216.51.232.114</address>
<destination><address>216.51.232.1/24</address></destination>
<descr>WS114 allow</descr></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source>
<any><destination><address>216.51.232.252</address><port>6277</port></destination>
<descr>DCC filter</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source>
<any><destination><address>216.51.232.1</address><port>8090</port></destination>
<descr>WhatsUpGold</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source><address>216.51.206.209</address>
<destination><address>216.51.232.1/24</address>
<port>22</port></destination>
<descr>ssh passthrough for flash's home connection</descr></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source><address>216.51.206.209</address>
<destination><address>216.51.232.1/24</address></destination>
<descr>total passthrough for flash's home connection</descr></rule>
<rule><type>pass</type>
<interface>wan</interface>
<protocol>tcp/udp</protocol>
<source><address>12.206.23.57</address>
<destination><address>216.51.232.1/24</address>
<port>22</port></destination>
<descr>ssh passthrough for Shiloh's home connection</descr></rule>
<rule><type>pass</type>
<interface>wan</interface>
<source><address>216.51.206.213</address>
<destination><address>216.51.232.1/24</address></destination>
<descr>passthrough for flash's home connection</descr></rule>
<rule><type>block</type>
<interface>wan</interface>
<source>
<any><destination><address>216.51.232.49</address></destination>
<descr>Block rule for Ethernet Switches</descr></any></rule>
<rule><type>block</type>
<interface>wan</interface>
<source>
<any><destination><address>216.51.232.48</address></destination>
<descr>Block rule for Ethernet Switches</descr></any></rule>
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp/udp</protocol>
<source><address>216.51.232.5</address>
<destination><any></any></destination>
<descr>SNMP allow</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>wan</interface>
<max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
<os><protocol>tcp</protocol>
<source><address>216.51.209.208/30</address>
<destination><any></any></destination>
<descr>flash allow</descr></os></statetimeout></max-src-states></max-src-nodes></rule>
<rule><type>pass</type>
<interface>opt1</interface>
<protocol>tcp/udp</protocol>
<source>
<any><destination><any></any></destination>
<descr>server-side outbound</descr></any></rule>
<rule><type>pass</type>
<interface>opt1</interface>
<protocol>icmp</protocol>
<source>
<any><destination><any></any></destination>
<descr>server-side outbound ICMP</descr></any></rule>
<rule><type>pass</type>
<interface>lan</interface>
<source>
<any><destination><any></any></destination>
<descr>Default LAN -> any</descr></any></rule></filter>
<ipsec><aliases><proxyarp><wol><lastchange>1153352733</lastchange>
<revision><description>/firewall_rules_edit.php made unknown change</description>
<time>1156351654</time></revision>
<theme>metallic</theme></wol></proxyarp></aliases></ipsec></dnsmasq></bigpond></pptp></pppoe></staticroutes></pfsense> -
http://forum.pfsense.org/index.php/topic,1903.new.html#new
-
Moving into IRC land, thanks for all the help :)