ISP allows traffic ONLY from the a CARP IP….



  • I'm re-writing the question in hopes that this will clarify what I am asking.

    The ISP in my datacenter will only allow traffic from the CARP IP of my firewalls, even though we have a /29 network.  So all of my outside IP addresses will be in the same /29 network, but the ISP will only communicate with the CARP address.  Lan traffic is sent through the CARP IP along with traffic from our two external /27 networks that are stacked on top of the CARP IP.  We are running pfsense 2.2.3.

    I'm trying to figure out how can I get my firewalls to receive software updates and snort updates since that traffic will be sent from the real IP address of the firewalls and the ISP will not allow that.  The only resolution that I can see at this point is to make another outbound NAT rule (Firewall>NAT>outbound) that directs all traffic with a source of "This Firewall(self)" through the CARP IP.

    Questions:

    1.  Will the Master firewall be able to receive software updates (for the O/S and snort) if I create an outbound rule that maps source "This firewall(self)" through the CARP IP?

    2.  Will the Backup firewall be able to receive software updates (for the O/S and snort) if I create an outbound rule that maps source "This firewall(self)" through the CARP IP?

    3.  Will there be any communications issues by applying a rule like this to each firewall?

    For additional clarification, This is an example of what it the routing situation from our ISP will look like:

    xx.xx.xx.00/29 network
    xx.xx.xx.01  gateway on ISP router
    xx.xx.xx.02  1st useable IP assigned to our CARP
    xx.xx.xx.03  Master firewall
    xx.xx.xx.04  Backup firewall
    The ISP will route traffic ONLY to the xx.xx.xx.02 IP address.

    Any advice or ideas will be much appreciated.

    kkm



  • @kkm:

    The ISP will route traffic ONLY to the xx.xx.xx.02 IP address.

    I think, this will only apply for incoming traffic, but I cant believe that destination addresses are translated by the ISP. So if the backup box establish a connection to a WAN address the reply will be sent to the backups WAN address the box will be able to receive it. There will be no need for an extra outbound NAT rule.
    Rather your idea wont work for backup. In this case, replies would be addressed to CARP IP which is owned by master.



    1. Yes, when it has master status.
    2. No, until/unless it has master status (force failover), as the reply traffic will go to the primary.

    Not a good way to make connectivity from the system with backup status work in that case.



  • Thanks for the replies.  This information helps a lot!



  • @kkm:

    I'm trying to figure out how can I get my firewalls to receive software updates and snort updates since that traffic will be sent from the real IP address of the firewalls and the ISP will not allow that.  The only resolution that I can see at this point is to make another outbound NAT rule (Firewall>NAT>outbound) that directs all traffic with a source of "This Firewall(self)" through the CARP IP.

    I don't know how feasible this is for you but I have a proxy server on the LAN side and then configure both pfsense boxes to use the proxy.

    System->Advanced->Misc to set this up.


  • LAYER 8 Netgate

    What good is a /29 if you can't use the addresses?



  • @Derelict:

    What good is a /29 if you can't use the addresses?

    Guessing it's not really a /29, it's a /30 from the ISP that he made into a /29.


Log in to reply