Am I on the right track for Multi ISP / CARP - Multiple Routers
-
Ok this is pretty much how I see it working. I would like you great folks to take a look at what I got and tell me if it makes sense or not? Tell me if I am on the right track please.
Dual Router's / Dual ISP's Setup.
Both routers will be running pfSense. We intend to implement the load balancing and failover
offered by pfSense.Here is an ASCII representation of the network. The IP's and some ifaces are of course, made up.
Key
ISP-1 = T1 - 82.23.56.96/28 - 14 Real IP's: 82.23.56.97 - 82.23.56.110
ISP-2 = Wireless Internet - 101.44.16.32/28 - 14 Real IP's: 101.44.16.33 - 101.44.16.46LAN Network = 10.111.11.0/24
DMZ Network = 10.11.121.0/24
LAN Iface (Managed by CARP) = 10.111.11.1/24
DMZ Iface (Managed by CARP) = 10.11.121.1/24
LAN CARP Management Network (router1 (me0) - router2 (me0) - Intel NIC) = 10.222.22.0/29
DMZ CARP Management Network (router1 (me0:1) - router2 (me0:1) - Intel NIC) = 10.222.33.0/29
ISP-1 CARP Management Network (router1 (me0:2) - router2 (me0:2) - Intel NIC) = 10.222.44.0/29
ISP-2 CARP Management Network (router1 (me0:3) - router2 (me0:3) - Intel NIC) = 10.222.55.0/29Switch-1 - WAN Switch - 24 port - 2 vlans for ISP-1 and ISP-2, and 1 vlan for the CARP mngt iface's.
SW1-VLAN-1 - ISP-1
SW1-VLAN-2 - ISP-2
SW1-VLAN-3 - LAN+DMZ+ISP-1+ISP-2 CARP Management Net'sSwitch-2 - LAN/DMZ Switch - 48 Port - 2 vlans for LAN and DMZ
SW2-VLAN-1 - LAN
SW2-VLAN-2 - DMZRouter-1 = The main CARP router. AKA the CARP Master
On-board iface will be used for connection to ISP-1 - onb0
The first 3-port iface will be used for connection to ISP-2 - re0
The second 3-port iface will be used for connection to the LAN - re1 - Managed by CARP
The third 3-port iface will be used for connection to the DMZ - re2 - Managed by CARPAll CARP ifaces will be on the single port Intel PCI NIC, represented here as me0.
The CARP management iface for LAN - me0 - 10.222.22.1/29
The CARP management iface for DMZ - me0:1 | vp0 - 10.222.33.1/29
The CARP management iface for ISP-1 - me0:2 | vp1 - 10.222.44.1/29
The CARP management iface for ISP-1 - me0:3 | vp2 - 10.222.55.1/29Router-2 = The secondary CARP router. AKA CARP Slave
On-board iface will be used for connection to ISP-1 - onb0
The first 3-port iface will be used for connection to ISP-2 - re0
The second 3-port iface will be used for connection to the LAN - re1 -Managed by CARP
The third 3-port iface will be used for connection to the DMZ - re2 - Managed by CARPAll CARP ifaces will be on the single port Intel PCI NIC, represented here as me0.
The CARP management iface for LAN - me0 - 10.222.22.2/29
The CARP management iface for DMZ - me0:1 | vp0 - 10.222.33.2/29
The CARP management iface for ISP-1 - me0:2 | vp1 - 10.222.44.2/29
The CARP management iface for ISP-1 - me0:3 | vp2 - 10.222.55.2/29Here is an ASCII representation…
ISP-1 ISP-2 | | | | |--------------------| | | Switch-1 | | | | | | |-------------|-SW1-VLAN-1 - ISP-1-|-----------------| | | | | | | | | | | | |----------|-SW1-VLAN-2 - ISP-2-|-------------| | | | | | | | | | | | | | | | |----|-SW1-VLAN-3 - CARP--|-----| | | | | | |--------------------| | | | | | | | | | | | | | | | | | |---------------| |------------| | | | | | | | | | | | | | | | | | | | | onb0 - 82.23.56.97 -| |-re0 - 101.44.16.33 | | re0 - 101.44.16.34-| |-onb0 - 82.23.56.98 ---------------- | | ---------------- | |----------| |----------| | | Router-1 |me0/me0:1 me0/me0:1| Router-2 | | |me0:2/me0:3 me0:2/me0:3| | ---------------- ---------------- re2 DMZ CARP 10.11.121.1/24-| | <-re1 - LAN CARP 10.111.11.1/24-> | |-re2 DMZ CARP 10.11.121.1/24 | | | | | | |------------------| | | | | | Switch-2 | | | | | | | | | | | | SW2-VLAN-1 - LAN | | | | |---------| 10.111.11.0/24 |---------| | | | LAN Clients | | | | | | | | SW2-VLAN-2 - LAN | | |---------------| 10.11.121.0/24 |--------------| | DMZ Clients | |------------------|Here is a dia version. This one is a bit more of a virtual representation…
thanks for looking!
brianw
-
Bump!
Nice level of detail, brianw. Have you tested this, yet?
I have a very similar situation, so I'm dying to know if this configuration works well.
-
I'm looking to do this do. How will you set up the fail over rules for the Dual Wan? I'm assuming that they'll be the same as in the tutorial.
-
Sorry I have not replied; been a bit busy. We got the hardware and built a lab. We accomplished all of our goals in the end. The setup is at the clients new building awaiting the servers and clients that will be coming in the coming weeks. We experienced a bit of a heartache in the hardware department at first. We thought we were going to have to go back to the drawing board in the hardware department at first.
We got (2) of the Jetway C7 2.0 boards with the daughter board capability. We got the (3) GB Nic daughter boards for them. The daughter boards did not work well at all. They kept dropping IRQ's and such. Generally just not working out. So we got (2) Dual GB Intel nics for each router. And still the problems with IRQ routing persisted. We finally found some documentation on the PCI riser card and was able to get the Dual GB Intel Nic's to work. We were very happy. :)
My Brother and I will soon be publishing a HowTo for the setup we found. None of the HowTo's worked 100% for us… We had to figure some things out. I also want to post our setup so it can be scrutinized.
Check back,
brianw
-
Sorry I have not replied; been a bit busy. We got the hardware and built a lab. We accomplished all of our goals in the end. The setup is at the clients new building awaiting the servers and clients that will be coming in the coming weeks. We experienced a bit of a heartache in the hardware department at first. We thought we were going to have to go back to the drawing board in the hardware department at first.
We got (2) of the Jetway C7 2.0 boards with the daughter board capability. We got the (3) GB Nic daughter boards for them. The daughter boards did not work well at all. They kept dropping IRQ's and such. Generally just not working out. So we got (2) Dual GB Intel nics for each router. And still the problems with IRQ routing persisted. We finally found some documentation on the PCI riser card and was able to get the Dual GB Intel Nic's to work. We were very happy. :)
My Brother and I will soon be publishing a HowTo for the setup we found. None of the HowTo's worked 100% for us… We had to figure some things out. I also want to post our setup so it can be scrutinized.
Check back,
brianw
I would welcome your howto!