Static IPs and CARP related questions
-
I'm running pfSense 2.0 on an appliance I built. So far, no issues. The set-up is for a very small business.
I have Verizon FiOS with 5 static IPs. My IP block is its own /29 subnet but the Verizon GW is in a /24 subnet. The only way I've gotten multiple IPs to work so far (I've only used one of the extras) is to create a VIP group with CARP. So my first question is: Is this really a routed subnet I just didn't figure out how to set up? I'm thinking the router has to be in the same subnet. If not, do I really need CARP here? I also tried using Proxy ARP but couldn't get it to work. I suspect that was just me not understanding something there. Any guidance here appreciated. I have the book as a reference.
Second, to go to CARP failover do I then definitely need a routed subnet? If not, can failover CARP coexist with my existing CARP VIPs?
Lastly, if I get that far, I still have only 5 IPs. I'd like to NAT the secondary router IP for secondary DNS. Can the secondary be used like that? I'm wondering if I also have to get a bigger block. In a single router set-up I'd have a need for at least 3 of the 5 static IPs (maybe 4). I'm wondering what the math is to extend that – I assume it's not always just doubling it since the secondary is usually not routing anything (only that secondary DNS if that sort of set-up is possible).
-
Some more details/ideas here after reading the book again:
Since I don't appear to have a true routed subnet, it looks like I could connect a switch to the Verizon ONT. Off that switch I'd see my 5 IPs (I believe I did test this back at install time). I'd use 3 of those 5 for a CARP failover set-up. If that's all true (I think it is), then my question is how I can use the other 2 IPs. Without the switch I use CARP/VIPs to associate those other addresses to my primary IP. It's not clear to me how that looks with a switch in between the two now. Seems like I could either still do the CARP/VIP trick (switch has no effect other than splitting off the two IPs I need to separate for failover), or it seems like I might have to have pfSense see the split extra IPs as multiple WAN IPs (which I'd use without failover). The problem with that second scenario would seem to be that I can no longer pool the extras for a set of NAT rules to fan them out to the DMZ behind pfSense – that if I split them either one pfSense box would get the extra two, or each pfSense box (primary, secondary) would get one of the two extras.