4. Static IPs and CARP related questions

Static IPs and CARP related questions

  • S

    I'm running pfSense 2.0 on an appliance I built. So far, no issues.  The set-up is for a very small business.

    I have Verizon FiOS with 5 static IPs.  My IP block is its own /29 subnet but the Verizon GW is in a /24 subnet.  The only way I've gotten multiple IPs to work so far (I've only used one of the extras) is to create a VIP group with CARP.  So my first question is: Is this really a routed subnet I just didn't figure out how to set up?  I'm thinking the router has to be in the same subnet.  If not, do I really need CARP here?  I also tried using Proxy ARP but couldn't get it to work.  I suspect that was just me not understanding something there.  Any guidance here appreciated.  I have the book as a reference.

    Second, to go to CARP failover do I then definitely need a routed subnet?  If not, can failover CARP coexist with my existing CARP VIPs?

    Lastly, if I get that far, I still have only 5 IPs.  I'd like to NAT the secondary router IP for secondary DNS.  Can the secondary be used like that?  I'm wondering if I also have to get a bigger block.  In a single router set-up I'd have a need for at least 3 of the 5 static IPs (maybe 4).  I'm wondering what the math is to extend that – I assume it's not always just doubling it since the secondary is usually not routing anything (only that secondary DNS if that sort of set-up is possible).

    0
  • S

    Some more details/ideas here after reading the book again:

    Since I don't appear to have a true routed subnet, it looks like I could connect a switch to the Verizon ONT.  Off that switch I'd see my 5 IPs (I believe I did test this back at install time).  I'd use 3 of those 5 for a CARP failover set-up.  If that's all true (I think it is), then my question is how I can use the other 2 IPs.  Without the switch I use CARP/VIPs to associate those other addresses to my primary IP.  It's not clear to me how that looks with a switch in between the two now.  Seems like I could either still do the CARP/VIP trick (switch has no effect other than splitting off the two IPs I need to separate for failover), or it seems like I might have to have pfSense see the split extra IPs as multiple WAN IPs (which I'd use without failover).  The problem with that second scenario would seem to be that I can no longer pool the extras for a set of NAT rules to fan them out to the DMZ behind pfSense – that if I split them either one pfSense box would get the extra two, or each pfSense box (primary, secondary) would get one of the two extras.

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy