CARP deployment scenario

  • Hi

    I am really just after a bit of sense check on whether my proposed scenario will work. I would like to implement a CARP setup with the following:

    2 x WAN
    2 x LAN
    1 x Public WiFi (with Captive Portal)
    1 x DMZ
    20 x IPSEC tunnels

    I would also like to implement VLANs over three switches:

    Switch 1 - WAN 1 & WAN 2
    Switch 2 - Public WiFi & DMZ
    Switch 3 - LAN 1 & LAN 2

    We have 16 Public IP addresses on each WAN connection and would require most of them configuring as Virtual IPs (after the 3 x allocated to the WAN interfaces)

    We will be using the latest and greatest version of pfSense v2

    Any comments or suggestions would be welcome.
    One question in particular - would it be considered secure to reduce the number of switches to two by placing the WiFi/DMZ with either the WAN or LAN switches?


  • If the wireless doesn’t need direct access to your network resources, then by just having it on a separate VLAN and making sure there is an ACL to block any packets that are part of the WIFI network to your network. However, if you’re WIFI needs access to your network that should also work.

    What we have done for our installation at our office and data center is to have two switches,  and two firewalls. A trunk between the two switches but then VLANed them into different groups, for example

    VLAN1 is our LAN
    VLAN2 is WAN1
    VLAN3 is WAN2

    Your ISP hand-off would go into the right VLAN group and then so would your firewall connections. If you’re not using trunks then you will have a direct cable for each of the VLANs back to your firewalls with correct addresses.

    For the DMZ you can add extra ports to the VLANs you need and have them outside the firewall. And then the placement for the WAP again depends if it’s part of your internal or external network access requirements.

    What this design allows you to do is have redundancy, what if your WAN switch went out? You would loss all WAN connections, where if the wans were both on two different switches the risk of a failed switch is migrated.

    To answer your question about if it would be secure, if VLANs are done correctly, its taking a physical switch and logically breaking it down to multiple logical switches.

Log in to reply