Will this CARP setup work?
-
Hi All
I've attached a copy of a proposed network layout using PFSense and CARP.
I have a /27 network (DMZ) routed to me and a LAN Network.
I have a few questions.
1. Using only 1 Switch (16Port GigE) to handle the /27 (DMZ) and /24 (LAN) segments, has got me a little unsure of how PFSense will handle this, Can anyone see any foreseeable problems with this? Do you have any suggestions? Should I really be using 2 switches? this seems a little bit of a waste of resources.
2. I've Got 2 GigE switches looking after the LAN Subnet, Do you see and problems with the way I planned on setting this up? Should the 16 Port GigE in the LAN piggy back off the 24 Port GigE? I only did this because I did not have a single 48 Port Switch.
3. Has any one else setup something like this already? Do you have a sample network map to share?
Thanks for looking
-
I wouldn't go this way. You usually want the DMZ to be really seperated from LAN. The way you plan to do it they are ion the same layer2 network. IUf you really want to do it this way I suggest using a vlan capable switch and break this one up into 2 vlans that don't see each other.
On the other hand I think this would work but you'll get a lot syslog and console spam about ARP and CARP errors. However you can shutdown the ARP spam at system>advanced by checking "This will suppress ARP messages when interfaces share the same physical network".
I would go with seperate switches as you have them around anyway.
-
Hi Hoba
Thanks for the feed back. I thought someone would say to separate the DMZ from the LAN.
The 16Port GigE switch does have VLAN capability, so maybe I'll try that. The DMZ was going to go on OPT1, do I have to setup any VLAN settings on the PFSense Box or do I simply assign Port numbers to a particular VLAN group on my switch?
-
The 16Port GigE switch does have VLAN capability, so maybe I'll try that. The DMZ was going to go on OPT1, do I have to setup any VLAN settings on the PFSense Box or do I simply assign Port numbers to a particular VLAN group on my switch?
Create the VLAN on the switch using the port numbers.
-
I fully agree. Do not consider running DMZ and LAN on the same switch without using VLAN. For redundancy (or failsafe) I would recommend seperate switches. VLAN is also nice, but if your LAN switch fails, your DMZ services still keep running and switches aren't the most expensive hardware out there nowadays. :)
-
Not to mention that "dumb" switches are cheaper than manageable vlan capable switches.
