Adding a new block of IPs

dzeanah

Currently my DMZ net is a 10. network, and I use CARP/VIPs to associate the private network addresses with routable IPs.

I'm running out of IP addresses though, and will need more.  What I'd like to do is keep the current configuration the same, have my bandwidth provider assign me a new block of IPs (probably a completely new netblock with no association with my current IP range), tell pfSense about it by setting up new CARP assignments, and keep on going without any real changes to my network layout.

Is this possible?

What's the best way forward?  Worst case I can get an additional network uplink and install a firewall with another port so I can do dual-wan, but I'd rather just have the current WAN handle new netblocks without blinking.

Thanks.

podilarius

Are you running 2 firewalls in fail over with CARP? If not, you could use proxy arp.

dzeanah

Yep - failover is set up and runs pretty well every time I've used it.

podilarius

adding a second IP block is difficult or not possible. We tried it early on at our DC and eventually had to have the ISP give us a big block and suffer through an IP change. Which was not all that bad. CARP addresses must be all be in the same subnet.

Reiner030

@podilarius:

adding a second IP block is difficult or not possible. We tried it early on at our DC and eventually had to have the ISP give us a big block and suffer through an IP change. Which was not all that bad. CARP addresses must be all be in the same subnet.

there is a little trick to get it work  (we make it last year - works good)…

=> set on both firewalls each an IP Alias to the origin network card from

e.g.

old IPs:
10.0.1.1  carp gw
10.0.1.2  fw1
10.0.1.3  fw2

new IPs:
10.2.0.2  IP ALIAS on fw1
10.2.0.3  IP ALIAS on fw2
10.2.0.1  carp gw2 with same network as IP Alias ;)

Perhaps a problem:
You can only handle up to 255 CARP IPs on you firewalls in sum. (because of VHID 1..255)

podilarius

Dude .that is an awesome trick. I will keep that in mind and use it. Thanks. Will test it in the lab once I recover from vacation.

dzeanah

Well, shucks.  Now I need to read up on IP Aliasing because I know nothing about it.

Is it fair to assume that I can use that trick to add a separate block of IP addresses to my firewall as described in the first post?

If so, then this is awesome – I don't need to either migrate to a big block of IPs I can't currently justify or add new ports to the primary firewall (and replace the secondary) for a second network drop – now I just need to find the time to reread my pfSense manual.  Well, I'll check to see if there's a current manual available...