4. Multiple subnet routing questions

Multiple subnet routing questions

  • C

    Hey All!

    I just moved into a new colo setup and the provider only gives out IPs in /29 blocks. I currently have 3 /29 blocks with them and I wanted to know what the easiest way to go about routing them would be with minimal IP loss.

    I currently have 2 pf's setup as an HA pair, the "primary" IP on my account is setup as a CARP VIP address on the WAN side for both pf's and they each have their own dedicated IPs in that subnet. I have requested that my colo provider route the other two /29's to the primary (CARP VIP) address on my account.

    Now, my question comes with routing the other 2 subnets…..what is the best way to go about routing those two /29 blocks to networks behind my pf minimizing IP loss on the pf boxes (I want to keep as many IPs as I can free for the servers behind the pf's)

    I've been doing a lot of reading on the subject (admittedly i'm a routing noob) and there seem to be two solutions to the routing:

    1. I can use NAT for the addresses then just map ports to the hosts behind the pf
    2. I can fully route the subnets through the pf using the pf as a gateway/router for everything behind it.

    I'm particularly interested in option 2, however using my CARP setup I "burn" 3 IPs in each subnet (one for each pf and another for the VIP). In my reading I saw that an option might be to use a 10.x.x.x address on each physical DMZ interface (not LAN as I'll be natting one of the IPs over there) and use one of the public IPs on the VIP as the gateway for each of the subnets....if I understand this correctly it essentially only burns one IP per subnet.

    Is such a thing possible? Are there better ways to go about doing what I want?

    Thanks in advance!

    0
  • P

    I would think you could use any larger subnet. CARP addresses must be part of the subnet of the real interface. So you could use at /28 cidr and use the addresses not assigned to you as your interface addresses and the VIP as the first one that is. It is an interesting idea to use private IPs as the real interface addresses, but I didn't think that was possible in the current versions of pfSense.
    Are your /29 blocks consecutive?

    0
  • C

    Hey podilarius!

    Unfortunately my /29's are not consecutive…..they're all over the place actually.  :-[

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy