How to move web server from existing net to new pfSense net without downtime?
-
I'm new here, so I'd also like to hear advice on what I should and shouldn't do if I've made mistakes.
I'm switching ISPs:
My existing network is a class C subnet with internally hosted DNS, email, web, etc. using a simple packet-filtering Cisco router. (Network A)
My new network is a class C subnet where I will move the hosted servers behind a pfSense firewall and use NAT. (Network B)
My goal is to have little or no downtime when switching the DNS entry for my web server.
My first thought was to add an address to the web server (multi-homed) so that it would appear to exist on both networks at the same time. In this way, it would answer queries for both networks and could be used that way until DNS was updated. The problem here is that only one default route can exist on the server…
If the default route is for Network A, traffic to the server from Network B has already been NATed, so replies from the server would be from a private IP address and wouldn't be valid when/if they reached the client.
If the default route is for Network B, traffic to the server from Network A would need to be delivered without being modified (whether it's delivered using ISP A or ISP B shouldn't matter). The first problem I've encountered is that a reply from the server is a response to a packet that wasn't seen by pfSense, so it's blocked. I've tried to fix this by using a firewall rule where "State Type" is "none" (as documented in the pfSense ... Definitive Guide...), but that didn't seem to work (traffic was still blocked as shown in my firewall log).
Two specific questions I have:
Is this a reasonable way to avoid web server downtime?
Am I correct that pfSense can be configured for this scenario?Carl
-
Here's a network map.
-
Just in case someone else wants to know, here's what I encountered and what I did to fix it.
What I wanted to do was add a private LAN address to each server so that it would appear on both networks at the same time. The problem with this (as listed above) is that only one default route exists. If the default route is Net.A.1, traffic coming from the new ISP would have already been modified by NAT, so replies from the server would be useless. If the default route is 172.17.2.1, traffic coming from the existing ISP was blocked by the firewall with a default rule.
I tried adding adding a firewall rule so that all traffic inbound on 172.17.2.1 with a source of Net.A would be rerouted through Net.A.1. Unfortunately, this didn't work (I think because of the same default firewall rule).
My solution was to change the server to have a default route of Net.A.254. With this, I can use the asymmetric routing techniques listed in Chapter 8 of "pfSense: The Definitive Guide". I had to add specific firewall rules with State Type: none, but the setup works. Now, the server appears on both networks and will respond to traffic from both networks until I can change DNS and confirm that all traffic has been removed from the existing ISP.
My WAN2 Firewall Rules look like this:
Allow TCP/UDP from WAN2:any to LAN:any using default gateway
… this allows traffic to flow freely for machines that have already moved to the new net.
Allow TCP/UDP from WAN2:any to any:any using gateway Net.A.1 with State Type: none
... this allows traffic responses from Net.A to be returned to the Internet basically untouched.Note that I'm not concerned about blocking traffic between networks because (1) I already have a traffic filter on the Internet router for Net.A, and (2) I will be removing WAN2 as soon as that network is no longer needed.
When I finish with Net.A, I can remove the IP address for that net from the server. This will cause the default route to change to 172.17.2.1, and the server will continue to work properly with pfSense.
I hope this helps someone. If you have any questions or just want to comment, feel free to respond or PM me.
Carl