Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Will this CARP setup work?

    Off-Topic & Non-Support Discussion
    4
    6
    2993
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wasca last edited by

      Hi All

      I've attached a copy of a proposed network layout using PFSense and CARP.

      I have a /27 network (DMZ) routed to me and a LAN Network.

      I have a few questions.

      1. Using only 1 Switch (16Port GigE) to handle the /27 (DMZ) and /24 (LAN) segments, has got me a little unsure of how PFSense will handle this, Can anyone see any foreseeable problems with this? Do you have any suggestions? Should I really be using 2 switches? this seems a little bit of a waste of resources.

      2. I've Got 2 GigE switches looking after the LAN Subnet, Do you see and problems with the way I planned on setting this up? Should the 16 Port GigE in the LAN piggy back off the 24 Port GigE? I only did this because I did not have a single 48 Port Switch.

      3. Has any one else setup something like this already? Do you have a sample network map to share?

      Thanks for looking


      1 Reply Last reply Reply Quote 0
      • H
        hoba last edited by

        I wouldn't go this way. You usually want the DMZ to be really seperated from LAN. The way you plan to do it they are ion the same layer2 network. IUf you really want to do it this way I suggest using a vlan capable switch and break this one up into 2 vlans that don't see each other.

        On the other hand I think this would work but you'll get a lot syslog and console spam about ARP and CARP errors. However you can shutdown the ARP spam at system>advanced by checking "This will suppress ARP messages when interfaces share the same physical network".

        I would go with seperate switches as you have them around anyway.

        1 Reply Last reply Reply Quote 0
        • W
          Wasca last edited by

          Hi Hoba

          Thanks for the feed back. I thought someone would say to separate the DMZ from the LAN.

          The 16Port GigE switch does have VLAN capability, so maybe I'll try that. The DMZ was going to go on OPT1, do I have to setup any VLAN settings on the PFSense Box or do I simply assign Port numbers to a particular VLAN group on my switch?

          1 Reply Last reply Reply Quote 0
          • Y
            yoda715 last edited by

            @Wasca:

            The 16Port GigE switch does have VLAN capability, so maybe I'll try that. The DMZ was going to go on OPT1, do I have to setup any VLAN settings on the PFSense Box or do I simply assign Port numbers to a particular VLAN group on my switch?

            Create the VLAN on the switch using the port numbers.

            1 Reply Last reply Reply Quote 0
            • JeGr
              JeGr LAYER 8 Moderator last edited by

              I fully agree. Do not consider running DMZ and LAN on the same switch without using VLAN. For redundancy (or failsafe) I would recommend seperate switches. VLAN is also nice, but if your LAN switch fails, your DMZ services still keep running and switches aren't the most expensive hardware out there nowadays. :)

              1 Reply Last reply Reply Quote 0
              • H
                hoba last edited by

                Not to mention that "dumb" switches are cheaper than manageable vlan capable switches.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post

                Products

                • Platform Overview
                • TNSR
                • pfSense
                • Appliances

                Services

                • Training
                • Professional Services

                Support

                • Subscription Plans
                • Contact Support
                • Product Lifecycle
                • Documentation

                News

                • Media Coverage
                • Press
                • Events

                Resources

                • Blog
                • FAQ
                • Find a Partner
                • Resource Library
                • Security Information

                Company

                • About Us
                • Careers
                • Partners
                • Contact Us
                • Legal
                Our Mission

                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                Subscribe to our Newsletter

                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                © 2021 Rubicon Communications, LLC | Privacy Policy