Show Posts
1
General Discussion / Multiple public IP aliases on CARP/HA WAN
« on: May 26, 2017, 10:04:09 pm »
Planning to move to HA solution with 2 firewalls (virtual) using CARP and sync.
# Currently (works & all ok):
- WAN interface has dedicated public IP
- Virtual IP aliases registered on WAN interface
- NATing and filters
# Issue with HA solution.
For HA to work, WAN interfaces have to use 3 public IPs. 2x dedicated on each box WAN interface, and VIP/CARP IP.
So far clear. But I have to register additional public IP aliases on firewall WAN side further to be NATed. I utilize several public subnets too.
Q:
- Can I register additional WAN interface IP aliases as single entry, and they will be serviced (synced/moved) appropriately? (I'm in doubt, as due to sync, such IP alias would appear on both nodes, and would make IP conflict on WAN network segment.)
...or...
- Should I use the same principle as above - use 3 IPs (aliases in addition to main FW node IP addressing), where 2x are assigned as alias to WAN interface on each corresponding node, and use 3rd IP alias (registered as CARP) for HA?
The latter would significantly increase used IP space, which I'd like to avoid.
Or, in other words, how to add additional IP aliases to WAN side of HA FW cluster?
Would appreciate your thoughts or experience, if any.
# Currently (works & all ok):
- WAN interface has dedicated public IP
- Virtual IP aliases registered on WAN interface
- NATing and filters
# Issue with HA solution.
For HA to work, WAN interfaces have to use 3 public IPs. 2x dedicated on each box WAN interface, and VIP/CARP IP.
So far clear. But I have to register additional public IP aliases on firewall WAN side further to be NATed. I utilize several public subnets too.
Q:
- Can I register additional WAN interface IP aliases as single entry, and they will be serviced (synced/moved) appropriately? (I'm in doubt, as due to sync, such IP alias would appear on both nodes, and would make IP conflict on WAN network segment.)
...or...
- Should I use the same principle as above - use 3 IPs (aliases in addition to main FW node IP addressing), where 2x are assigned as alias to WAN interface on each corresponding node, and use 3rd IP alias (registered as CARP) for HA?
The latter would significantly increase used IP space, which I'd like to avoid.
Or, in other words, how to add additional IP aliases to WAN side of HA FW cluster?
Would appreciate your thoughts or experience, if any.