Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CARP deployment scenario

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    2 Posts 2 Posters 2.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gob
      last edited by

      Hi

      I am really just after a bit of sense check on whether my proposed scenario will work. I would like to implement a CARP setup with the following:

      2 x WAN
      2 x LAN
      1 x Public WiFi (with Captive Portal)
      1 x DMZ
      20 x IPSEC tunnels

      I would also like to implement VLANs over three switches:

      Switch 1 - WAN 1 & WAN 2
      Switch 2 - Public WiFi & DMZ
      Switch 3 - LAN 1 & LAN 2

      We have 16 Public IP addresses on each WAN connection and would require most of them configuring as Virtual IPs (after the 3 x allocated to the WAN interfaces)

      We will be using the latest and greatest version of pfSense v2

      Any comments or suggestions would be welcome.
      One question in particular - would it be considered secure to reduce the number of switches to two by placing the WiFi/DMZ with either the WAN or LAN switches?

      thanks
      Gordon

      If I fix one more thing than I break in a day, it's a good day!

      1 Reply Last reply Reply Quote 0
      • A
        asalmon
        last edited by

        If the wireless doesn’t need direct access to your network resources, then by just having it on a separate VLAN and making sure there is an ACL to block any packets that are part of the WIFI network to your network. However, if you’re WIFI needs access to your network that should also work.

        What we have done for our installation at our office and data center is to have two switches,  and two firewalls. A trunk between the two switches but then VLANed them into different groups, for example

        VLAN1 is our LAN
        VLAN2 is WAN1
        VLAN3 is WAN2

        Your ISP hand-off would go into the right VLAN group and then so would your firewall connections. If you’re not using trunks then you will have a direct cable for each of the VLANs back to your firewalls with correct addresses.

        For the DMZ you can add extra ports to the VLANs you need and have them outside the firewall. And then the placement for the WAP again depends if it’s part of your internal or external network access requirements.

        What this design allows you to do is have redundancy, what if your WAN switch went out? You would loss all WAN connections, where if the wans were both on two different switches the risk of a failed switch is migrated.

        To answer your question about if it would be secure, if VLANs are done correctly, its taking a physical switch and logically breaking it down to multiple logical switches.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.