SOLVED - Questions about blocked IP setup with CRAP

galphanet · May 17, 2013, 1:42 PM

Hello,

I use Pfsense with CRAP and my provider can give us IP for free but we have to pay a fee for each IP with Internet access.
So I can have 3 IP for free but I have to pay to have them reachable from outside.
(Every addresses are on a public subnet, even if they don't have Internet access).

So I configured the 2 IP as WAN on each Pfsense routers and the last one as CRAP.
For now, only the CRAP address can access internet, to save money.

My questions are :

do Pfsense (WAN IP) need to access the Internet to work properly ?
if not, can I use a "trick" to give Internet access to pfsense though the CRAP interface ?
(for example to download snort updates….)

I know this is a strange setup...
Thanks you for your answers :)

SeventhSon · May 16, 2013, 5:13 PM

the answer most likely is in:
http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29#Setting_up_advanced_outbound_NAT

more specifically, outbound NAT for localhost 127.0.0.0/8

galphanet · May 16, 2013, 5:15 PM

Yep, you're right I just figured this out 1 hour ago ;D

BUT this give the active gateway access to Internet, not the secondary one.

SeventhSon · May 16, 2013, 5:18 PM

@galphanet:

BUT this give the active gateway access to Internet, not the secondary one.
[/quote
correct, because the secondary doesn't have the CARP addresss. You would need internet access for the secondary addresses if you need both firewalls on the internet all the time.