Switching from filtering bridge to filtering router, steps?



  • Alright, after last weekends debacle (http://forum.pfsense.org/index.php/topic,8864.0.html), I'm dropping the bridging configuration to routing.  I'll be controlling .1.

    From what I understand, all I'll need to do is set up CARP for .1 (servers gateway), and change my rules "Gateway" to go out the new CARP IP (.1), or do I even have to do that?



  • I'm sorry but I don't find any details on your network in that other thread. Could you post a small ascii artwork of your network or a diagram? Are you using 1:1 NAT, portforward/outbound nat or no NAT at all?



  • My apologies - figured it was enough.  I'm not doing NAT, as my servers are also on public IPs.  I'm currently just bridging the public class C with switches that my servers are on.  They're basically just transparent firewalls.

    Currently:

    -firewall1-
    uplink -> switch (.1) <        |        > - switches - servers
                                       -firewall2-

    What we're going to do be doing, is moving .1 from the Hosting companies switch to the firewalls.  So, they'll become filtering routers.  Nothing will need to change above, I just need to figure out how to smoothly get .1 onto the firewalls, and find out what other changes I need to make via pfsense

    Side note: I just realized I messed up the subject, heh.  Edited



  • Ok, quick walkthrough (I hope I don't forget anything  ;) ):

    • Firewall1 and 2 will each need a seperate dedicated IP from the WAN and from the LAN subnet (no CARP, no failover).
    • The former .1 Switch IP will become the CARP VIP for both firewalls at Interface LAN. It will act as gateway for the servers and can be moved back and forth between the systems on failover.
    • You'll need the switches uplink IP to the world as CARP IP on WAN (and as stated already above additional to that the 2 dedicated real IPs for each machine)
    • To shut down NAT go to firewall>nat, outbound. Enable manual outbound nat and delete all the autocreated rules (it will create a lan to wan rule by default, just delete it).
    • The firewallrules will remain the way they have been. Don't use any gateways in there. Those are needed for policybased routing and multiwan only.
    • I won't go into details about syncsettings as I guess you have been using them successfully before with the other setup.

    Good luck  :)



  • @hoba:

    Ok, quick walkthrough (I hope I don't forget anything  ;) ):

    • Firewall1 and 2 will each need a seperate dedicated IP from the WAN and from the LAN subnet (no CARP, no failover).
    • The former .1 Switch IP will become the CARP VIP for both firewalls at Interface LAN. It will act as gateway for the servers and can be moved back and forth between the systems on failover.
    • You'll need the switches uplink IP to the world as CARP IP on WAN (and as stated already above additional to that the 2 dedicated real IPs for each machine)
    • To shut down NAT go to firewall>nat, outbound. Enable manual outbound nat and delete all the autocreated rules (it will create a lan to wan rule by default, just delete it).
    • The firewallrules will remain the way they have been. Don't use any gateways in there. Those are needed for policybased routing and multiwan only.
    • I won't go into details about syncsettings as I guess you have been using them successfully before with the other setup.

    Good luck  :)

    Perfect, thanks!

    I figured all I had to do was disable 'filtering bridge', and add .1 as the CARP IP, but wanted to be sure.

    So, to be sure:
    My firewalls are already .254 and .253 on the WAN side, and a random private subnet on the LAN side (can that stay the same?)
    Then add of my class C as CARP on the LAN side?

    The hosting company should give me two more IPs (outside of my class c) as well, to use as the firewalls public IPs, correct?



  • All IPs on the same interface (the real ones for each firewall as well as the virtual IP) have to be in the same subnet, so you can't use private IPs on the LAN-Interfaces if that .1-IP is a public one. It's the same on WAN. You'll need 3 IPs from the same subnet on WAN and on LAN. LAN and WAN have to be different subnets of course.


Locked