CARP deployment scenario
Gob last edited by
I am really just after a bit of sense check on whether my proposed scenario will work. I would like to implement a CARP setup with the following:
2 x WAN
2 x LAN
1 x Public WiFi (with Captive Portal)
1 x DMZ
20 x IPSEC tunnels
I would also like to implement VLANs over three switches:
Switch 1 - WAN 1 & WAN 2
Switch 2 - Public WiFi & DMZ
Switch 3 - LAN 1 & LAN 2
We have 16 Public IP addresses on each WAN connection and would require most of them configuring as Virtual IPs (after the 3 x allocated to the WAN interfaces)
We will be using the latest and greatest version of pfSense v2
Any comments or suggestions would be welcome.
One question in particular - would it be considered secure to reduce the number of switches to two by placing the WiFi/DMZ with either the WAN or LAN switches?
asalmon last edited by
If the wireless doesn’t need direct access to your network resources, then by just having it on a separate VLAN and making sure there is an ACL to block any packets that are part of the WIFI network to your network. However, if you’re WIFI needs access to your network that should also work.
What we have done for our installation at our office and data center is to have two switches, and two firewalls. A trunk between the two switches but then VLANed them into different groups, for example
VLAN1 is our LAN
VLAN2 is WAN1
VLAN3 is WAN2
Your ISP hand-off would go into the right VLAN group and then so would your firewall connections. If you’re not using trunks then you will have a direct cable for each of the VLANs back to your firewalls with correct addresses.
For the DMZ you can add extra ports to the VLANs you need and have them outside the firewall. And then the placement for the WAP again depends if it’s part of your internal or external network access requirements.
What this design allows you to do is have redundancy, what if your WAN switch went out? You would loss all WAN connections, where if the wans were both on two different switches the risk of a failed switch is migrated.
To answer your question about if it would be secure, if VLANs are done correctly, its taking a physical switch and logically breaking it down to multiple logical switches.