New setup, fighting with public IP's

ppt

It's probably something I'm overlooking, however I've been fighting with pfSense for quite a while now in order to try 'n get it to work properly. What I'm trying to do is the following:

[Internet]
                  |
      [switch]
      |                        |
[pfSense 1] –---- [pfSense 2]
pu.bl.i.c                pu.bl.i.c
      |                        |
      [switch]
                  |
      [bunch of servers]
            pu.bl.i.c

In other words: the uplinks enter the first switch, from there on out both the pfSense nodes get a public IP on their first NIC. Then they're linked together in failover configuration through NIC 2 and then they're supposed to pass on traffic to their 3rd NIC to the servers behind 'm. However the servers behind the pfSense nodes are supposed to have a public IP as well.. I'm starting to wonder if this is even possible, because either I'm missing something or it's simply not possible :/

Any help would be much appreciated! I've tried following the ancient guide that lead to a transparent (bridged) firewall to no avail.

jimp

That should work as long as the IPs on WAN and LAN are in different subnets.

Make sure in this case that you also disable outbound NAT (switch to manual and then delete any resulting rules)

You'll still need firewall rules to allow traffic in to reach the 'internal' public IPs, of course.

ppt

What if WAN & LAN are in the same subnet? Would it be completely impossible or just way more complicated?

jimp

Way more complicated. You would have to bridge LAN to WAN in order to do that, and when you involve bridging with a CARP pair it can lead to lots of craziness if you aren't careful. It's really easy to cause a layer2 loop and melt the network down. :)

There is info here on the CARP board, on the doc wiki, and even more (better) info in the book on dealing with CARP and bridging.

ppt

I bought the book but am not 100% sure about the following:

• I setup 2 nodes, they utilize CARP in this way (fictional ip's):

node 1:

wan-ip: 1.1.1.2
wan-vip (carp): 1.1.1.4
lan-ip: 2.2.2.2
lan-vip (carp): 2.2.2.4

node 2:

wan-ip: 1.1.1.3
wan-vip (carp): 1.1.1.4
lan-ip: 2.2.2.3
lan-vip (carp): 2.2.2.4

• I disabled NAT routing, so that every host behind the 2 nodes will display it's own IP on the outside.

Syncing the rules goes well. I can also setup a host behind the 2 nodes with the lan-vip (carp) as gateway and it'll be able to connect to the WAN with the correct IP. However, I can't connect to the host from the internet.

Is this because I need to route the 2.2.2.0/24 subnet to my wan-vip (carp) 1.1.1.4? Or am I missing something? :)

jimp

Are the IPs on the LAN side routed to the WAN CARP IP address? They should be, or the next hop up will have no idea how to get them back to your LAN segment. Traffic may go out and never return.

ppt

@jimp:

Are the IPs on the LAN side routed to the WAN CARP IP address? They should be, or the next hop up will have no idea how to get them back to your LAN segment. Traffic may go out and never return.

No, they're not yet. I wanted to confirm that was indeed what needed to happen. Funny thing is that I can do an icmp ping and get a reply even though it's not routed through the wan carp ip yet. I'll contact our uplink provider.