Date: Tue, 30 Sep 2008 03:45:33 -0400 From: Tom Huppi <tomh@huppi.com> To: freebsd-pf@freebsd.org Subject: Need best practice advice: carp and /30 Message-ID: <20080930074533.GA7549@huppi.com>
next in thread | raw e-mail | index | archive | help
I am trying to build a pfsync implementation so that I can
work on various hardening and other experiments with minimal
downtime, and could use some advice.
I expect to be using the most current FreeBSD codebase with this
implementation. Indeed, being able to do so is a driving force
behind my project.
My network layout looks like so:
-----------------
/-- | em0 PF-1 em1 | ---
| ------------ | / | em2 |
ISP -- | special vlan | ----------------
| cisco 3560 | |
|------------- |\ ----------------
\ | em2 |
- | em0 PF-2 em1 | ----
----------------
My ISP provides a single IP on a /30. Say 70.187.255.246, and
that carries my class-C traffic which is on a different subnet
entirely.
A similar solution but with only one PF firewall (also acting as
a simple router) has been working well enough over the last 10
months, although I did have certain problems which I have yet to
get to the bottom of. Possibly they have something to do with
the Cisco which I neglected to mention in my last query to this
list since I thought it unimportant at the time.
Anyway, my question relates to what are best-practices vis-a-vis
the network of the 'em0' interface. Pretty clearly the carp0
interface is my ISP assigned one, but there is not room in the
/30 for other addresses.
My guess is that I should 'invent' a RFC1918 network for the two
em0 interfaces, but I certainly don't want this to cause wierd
problems in the VLAN (I don't anticipate doing any routing in
this VLAN, by the way.)
In my googleing I found some info about getting 'carpdev'
supported and the threads seem to have dried up over a year
ago, so I think that it is probably in and working these days(?)
Even if so, still remains unclear to me what is safe and
appropriate in my situation.
If anyone has experiance with a similar setup and hardware, I
would very much appreciate knowing of their experiances. The
IOS revision on the Cisco is from about a year ago...don't have
it handy, but can get it if it is a factor.
(Also, thank you to all who had input on my last question to the
list. I got some feedback from my ISP about it, but it only
adds to the mystery. I'll follow-up on that thread when I know
more.)
Thanks,
- Tom
--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080930074533.GA7549>