Date: Tue, 30 Sep 2008 03:45:33 -0400 From: Tom Huppi <tomh@huppi.com> To: freebsd-pf@freebsd.org Subject: Need best practice advice: carp and /30 Message-ID: <20080930074533.GA7549@huppi.com>
next in thread | raw e-mail | index | archive | help
I am trying to build a pfsync implementation so that I can work on various hardening and other experiments with minimal downtime, and could use some advice. I expect to be using the most current FreeBSD codebase with this implementation. Indeed, being able to do so is a driving force behind my project. My network layout looks like so: ----------------- /-- | em0 PF-1 em1 | --- | ------------ | / | em2 | ISP -- | special vlan | ---------------- | cisco 3560 | | |------------- |\ ---------------- \ | em2 | - | em0 PF-2 em1 | ---- ---------------- My ISP provides a single IP on a /30. Say 70.187.255.246, and that carries my class-C traffic which is on a different subnet entirely. A similar solution but with only one PF firewall (also acting as a simple router) has been working well enough over the last 10 months, although I did have certain problems which I have yet to get to the bottom of. Possibly they have something to do with the Cisco which I neglected to mention in my last query to this list since I thought it unimportant at the time. Anyway, my question relates to what are best-practices vis-a-vis the network of the 'em0' interface. Pretty clearly the carp0 interface is my ISP assigned one, but there is not room in the /30 for other addresses. My guess is that I should 'invent' a RFC1918 network for the two em0 interfaces, but I certainly don't want this to cause wierd problems in the VLAN (I don't anticipate doing any routing in this VLAN, by the way.) In my googleing I found some info about getting 'carpdev' supported and the threads seem to have dried up over a year ago, so I think that it is probably in and working these days(?) Even if so, still remains unclear to me what is safe and appropriate in my situation. If anyone has experiance with a similar setup and hardware, I would very much appreciate knowing of their experiances. The IOS revision on the Cisco is from about a year ago...don't have it handy, but can get it if it is a factor. (Also, thank you to all who had input on my last question to the list. I got some feedback from my ISP about it, but it only adds to the mystery. I'll follow-up on that thread when I know more.) Thanks, - Tom --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080930074533.GA7549>