CARP VIP in DMZ with few public IP addresses
-
Hi,
the topic has already been addressed in 2012 and 2015 - but somehow no real solution has been published.
I have two networks, a /27 and a /30 network. (there are no more from the provider either, that's what I asked). The /30 network is for the connection to the provider cluster, the /27 network is for all services with public IP addresses.
So far we have no redundant routers for the Internet connection. Now we wanted to use PFSense (we already use it in the internal networks), but CARP always requires 3 addresses. In the DMZ, I would therefore have to use 6 of the 14 addresses that we do not have free. I only have 2 addresses in the intermediate router network, so not enough addresses either.
Some forum posts have suggested the use of private IP addresses as a solution (as a shadow network). This also works to a large extent.But:
When using “traceroute”, the private IP address of the active master is always returned. I tried to use outgoing nat for mask the real ip with vip - but it will anytime show the real ip.Is there a way to return the VIP to the traceroute? (I don't want to use the full DMZ network with NAT and would actually like to leave NAT out completely). With VRRP there is also the option of using the VIP.
In some freebsd documentation I came across the fact that you cannot use IPs for the interfaces and can only network one VIP. Is this also possible with pfsense?
Then I also have the question of whether I need to pay attention to any special features when using the shadow network with the private IPs. And do I have to pay attention to anything if I also use ipv6 in parallel?
Many thanks for your support - this is a really helpful forum