i hope you can give me some pointers while moving from iptables to pfsense
since pfsense seems to have the better failover solution than iptable (ipcluster)
i want to set up 2 pfsense firewalls and have some questions
first my structure/idea after that are my questions
NET
\___________________________
|
.~~~~~~|~~~~~. .~~~~~~~~~~~~.
| FW1 | | FW2 |
| HW: atom | | HW: "VBox" |
```|||||`````` ``````````````
|||||
====+=+++++=+==========+=========+========
__|_ _|__ __|_ __|__
|WS01| |WS02| .. |WSXY| .. |OTHER| ..
`````` `````` `````` ```````
That is the
current Configuration
at the moment i only use firewall 1 (FW1)
it is a debian box with iptables that has an atom cpu as hardware
and i think about switching to pfsense to get some fail-over and (best case) load balancing
the rules for in/outbound traffic and traffic between the vlans are simple and i dont see a problem converting them
if i read the manual/websites correctly i can replace netmap with Proxy ARP
therefore i could get the same configuration i have now
now to the "new" stuff
i have an intel server that has some (2-3) unused NICs and virtualbox installed
my idea is to use carp to get some fail-over and perhaps load balancing
(
most workstations get a public ip to avoid logging their connections
a shared public ip would be great for 2 public services
now to the questions:
- can i use multiple CARP VIP as a base for a 1:1 NAT? (i need 10-20 1:1 NAT ip addresses)
- is it more useful to use multiple default gateways (iproute2) in the linux machines or a set of shared LAN CARP VIP? (one for each VLAN)
- do i need a specific switch support/configuration to enable the in/outbound CARP VIPs? (i have a cisco switch)
- i using LACP ports with CARP a problem?
would be great to get some insight
pfSense Forum
