Date: Tue, 30 Sep 2008 17:12:32 -0400 From: Tom Huppi <tomh@huppi.com> To: Catalin Miclaus <catalin@starcomms.com> Cc: freebsd-pf@freebsd.org Subject: Re: Need best practice advice: carp and /30 Message-ID: <20080930211232.GA35980@huppi.com> In-Reply-To: <3A0AA7018522134597ED63B3B794C92A0301B363@STA-HQ-S001.starcomms.local> References: <20080930074533.GA7549@huppi.com> <3A0AA7018522134597ED63B3B794C92A0301B363@STA-HQ-S001.starcomms.local>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10:44 Tue 30 Sep , Catalin Miclaus wrote:
> tomh writes:
> > I am trying to build a pfsync implementation so that I can
> > work on various hardening and other experiments with minimal
> > downtime, and could use some advice.
> >=20
> > I expect to be using the most current FreeBSD codebase with this
> > implementation. Indeed, being able to do so is a driving force
> > behind my project.
> >=20
> > My network layout looks like so:
> >=20
> >=20
> >=20
> > -----------------
> > /-- | em0 PF-1 em1 | ---
> > | ------------ | / | em2 |
> > ISP -- | special vlan | ----------------
> > | cisco 3560 | |
> > |------------- |\ ---------------- =20
> > \ | em2 |
> > - | em0 PF-2 em1 | ----
> > ----------------
> >=20
> >=20
> >=20
> > My ISP provides a single IP on a /30. Say 70.187.255.246, and
> > that carries my class-C traffic which is on a different subnet
> > entirely.
> >=20
> > A similar solution but with only one PF firewall (also acting as
> > a simple router) has been working well enough over the last 10
> > months, although I did have certain problems which I have yet to
> > get to the bottom of. Possibly they have something to do with
> > the Cisco which I neglected to mention in my last query to this
> > list since I thought it unimportant at the time.
> >=20
> > Anyway, my question relates to what are best-practices vis-a-vis
> > the network of the 'em0' interface. Pretty clearly the carp0
> > interface is my ISP assigned one, but there is not room in the
> > /30 for other addresses.
> >=20
> > My guess is that I should 'invent' a RFC1918 network for the two
> > em0 interfaces, but I certainly don't want this to cause wierd
> > problems in the VLAN (I don't anticipate doing any routing in
> > this VLAN, by the way.)
> >=20
> > In my googleing I found some info about getting 'carpdev'
> > supported and the threads seem to have dried up over a year
> > ago, so I think that it is probably in and working these days(?)
> > Even if so, still remains unclear to me what is safe and
> > appropriate in my situation.
> >=20
> > If anyone has experiance with a similar setup and hardware, I
> > would very much appreciate knowing of their experiances. The
> > IOS revision on the Cisco is from about a year ago...don't have
> > it handy, but can get it if it is a factor.
> >=20
> > (Also, thank you to all who had input on my last question to the
> > list. I got some feedback from my ISP about it, but it only
> > adds to the mystery. I'll follow-up on that thread when I know
> > more.)
> >=20
> > Thanks,
> >=20
> > - Tom
>=20
>=20
> On external interface you need to configure at least the default route.
> Moreover your ISP will have to configure same private range on his
> equipments which I doubt he will agree.
>=20
> The way I see it you have 2 solutions:
>=20
> 1. request for a /29 from your ISP
> 2. use enhanced image for 3560 (that will make it a layer 3 device) with
> private range to your firewalls and public range on the ISP link
Thank you for your suggestions.
The 3560 I have to work with has 'C3560-IPBASE-M' while the one
I have currently in production has 'C3560-ADVIPSERVICESK9-M'.
I think that both of these IOS version would do simple VLAN
routing. I am very much a novice at this and don't use any
VLAN routing at all currently since I was able to do the
simple stuff I needed host-side in on my current setup. (I
have been planning to abandon that strategy with my new carp
implementation and try to do more with VLAN routing, but that is
on the 'other side' of the issue I am currently trying to deal
with.)
I wonder if it would/could work to have something like:
---------- ----------
ISP --> | 3560 | --> | 3560 | -- em0:pf-1
| VLAN /30 | | VLAN /29 | -- em0:pf-2
---------- ----------
where I arrange appropriate routing between the two VLANs?
Perhaps that is basically what you are suggesting?
I am quite confused about what traffic one would expect to see
makeing it out of the em0 interfaces when carp is active and
working. Relatedly, what exactly the default route does in such
a scenerio. These details don't seem to be broadly described in
the documentation I have run across so far.
Thanks again for any thoughts on the matter.
- Tom
> Best Regards
> Catalin Miclaus
> ISP-Data Ops.
> Starcomms Ltd.
>=20
>=20
>=20
> --=20
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>=20
>=20
> DISCLAIMER: The information contained in this message (including any atta=
chments) is confidential and may be privileged. If you have received it by =
mistake please notify the sender by return e-mail and permanently delete th=
is message and any attachments from your system. Any form of dissemination,=
use, review, distribution, printing or copying of this message in whole or=
in part is strictly prohibited if you are not the intended recipient of th=
is e-mail. Please note that e-mails are susceptible to change. STARCOMMS PL=
C shall not be liable for the improper or incomplete transmission of the in=
formation contained in this communication nor for any delay in its receipt =
or damage to your system. STARCOMMS PLC does not guarantee that the integri=
ty of this communication has been maintained or that this communication is =
free of viruses, interceptions or interferences. STARCOMMS PLC reserves the=
right to monitor all e-mail communications, whether related to the busines=
s of STARCOMMS or not, through its internal or external networks.
--=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080930211232.GA35980>