Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Login

    Will this CARP setup work?

    Off-Topic & Non-Support Discussion
    4
    6
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      Wasca
      last edited by

      Hi All

      I've attached a copy of a proposed network layout using PFSense and CARP.

      I have a /27 network (DMZ) routed to me and a LAN Network.

      I have a few questions.

      1. Using only 1 Switch (16Port GigE) to handle the /27 (DMZ) and /24 (LAN) segments, has got me a little unsure of how PFSense will handle this, Can anyone see any foreseeable problems with this? Do you have any suggestions? Should I really be using 2 switches? this seems a little bit of a waste of resources.

      2. I've Got 2 GigE switches looking after the LAN Subnet, Do you see and problems with the way I planned on setting this up? Should the 16 Port GigE in the LAN piggy back off the 24 Port GigE? I only did this because I did not have a single 48 Port Switch.

      3. Has any one else setup something like this already? Do you have a sample network map to share?

      Thanks for looking

      Network.png_thumb
      Network.png

      1 Reply Last reply Reply Quote 0
      • H
        hoba
        last edited by

        I wouldn't go this way. You usually want the DMZ to be really seperated from LAN. The way you plan to do it they are ion the same layer2 network. IUf you really want to do it this way I suggest using a vlan capable switch and break this one up into 2 vlans that don't see each other.

        On the other hand I think this would work but you'll get a lot syslog and console spam about ARP and CARP errors. However you can shutdown the ARP spam at system>advanced by checking "This will suppress ARP messages when interfaces share the same physical network".

        I would go with seperate switches as you have them around anyway.

        1 Reply Last reply Reply Quote 0
        • W
          Wasca
          last edited by

          Hi Hoba

          Thanks for the feed back. I thought someone would say to separate the DMZ from the LAN.

          The 16Port GigE switch does have VLAN capability, so maybe I'll try that. The DMZ was going to go on OPT1, do I have to setup any VLAN settings on the PFSense Box or do I simply assign Port numbers to a particular VLAN group on my switch?

          1 Reply Last reply Reply Quote 0
          • Y
            yoda715
            last edited by

            @Wasca:

            The 16Port GigE switch does have VLAN capability, so maybe I'll try that. The DMZ was going to go on OPT1, do I have to setup any VLAN settings on the PFSense Box or do I simply assign Port numbers to a particular VLAN group on my switch?

            Create the VLAN on the switch using the port numbers.

            1 Reply Last reply Reply Quote 0
            • JeGrJ
              JeGr LAYER 8 Moderator
              last edited by

              I fully agree. Do not consider running DMZ and LAN on the same switch without using VLAN. For redundancy (or failsafe) I would recommend seperate switches. VLAN is also nice, but if your LAN switch fails, your DMZ services still keep running and switches aren't the most expensive hardware out there nowadays. :)

              Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

              If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

              1 Reply Last reply Reply Quote 0
              • H
                hoba
                last edited by

                Not to mention that "dumb" switches are cheaper than manageable vlan capable switches.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post