<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Your welcome!..<div><br></div><div>btw... have a look at the pfsense failover configuration... I also use Asterisk here behind the pfsense and seen it swap over a few times..</div><div><br></div><div>if you are using UDP SIP then you might miss a little sound for a few seconds or hear the sound twice.. if you are using SIP TCP (TLS) which is the best for security to use.. then it's almost as transparent as it gets. Either way the PFSense systems will failover within a few micro seconds.</div><div><br></div><div>oh and if you are using asterisk behind pfsense firewall then you really should look to use WAN Bridging and give the asterisk a public IP as well as an internal private one.. You can then configure the pfsense to block _everything_ except the SIP port and media transport high ports.</div><div><br></div><div>I also wrote a little script which trolls the asterisk logs looking for SIP clients which auth incorrectly 3 times and adds them to the asterisk iptables firewall to block them :D</div><div><br></div><div>My asterisk configuration is maintain in a subversion depot, and I have two asterisk systems sitting side by side, the second has a mirror copy of the configuration (by subversion), so if I get a failure I just have to swap the ISDN30 from one to the other (I could automate it) but company wouldn't spring for the necessary hardware! :(</div><div><br></div><div>--Guy</div><div><br><div><div>On 14 Jun 2012, at 18:44, Bruce B wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Oh WOW. It does work. The /27 block was previously statically routed to our /29 IP block. We asked them to change that to a routable range so I thought we have to obtain the /27 IP statically like we pick the /29 now on the WAN port.<div>
<br></div><div>This is amazing. It works fine.</div><div><br></div><div>I think, now I should think of putting all this in redundant using the 2nd pfSense. I don't think CARP is the way to go for us as we have many Asterisk servers and so IP changes won't be easily manageable. Maybe something like 2nd pfSense take over with exact same settings once the 1st pfSense fails...</div>
<div><br></div><div>Thanks a lot again Guy. You saved me a 70km trip and at least 5 hours of work :-)</div><div><br></div><div><br><br><div class="gmail_quote">On Thu, Jun 14, 2012 at 1:16 PM, Guy <span dir="ltr"><<a href="mailto:guy@britewhite.net" target="_blank">guy@britewhite.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">unless you have a real burning desire the have a second PFSense firewall you do not need it here.<div>
<br></div><div>login to your current pfsense system and go to virtual IPs and create a new virtual IP for one of the IPs in the second routable block. Then go to NAT and rules and add rules and NATs to an already existing system, eg WWW.. And see that it works! :)</div>
<div><br></div><div>In fact if you do have the second pfsense firewall I would be inclined to put the two together to make a failover cluster that way you get redundancy should one fail :D again I do that here.</div><div>
<br></div><div>btw I only send one attachment the list of all my vmbrs. And no you do not need to give them all IP addresses.. just one which you use for administration purposes. The rest are given to the KVM or openVZ systems which then have their own IP address for them inside.</div>
<div><br></div><div><br></div><div>--Guy</div><div><br></div><div><br></div><div><div><div><div>On 14 Jun 2012, at 17:56, Bruce B wrote:</div><br></div><blockquote type="cite"><div>Amazing info Guy. Thanks. I read your notes and saw the last picture. The first picture you attached didn't come through.<div>
<br></div><div>So, here is my situation (You will have to use big screen to see this):</div>
<div><br></div><div>pfSense-1 - First routable IP block: <a href="http://65.65.65.66/" target="_blank">65.65.65.66/</a><b>29</b></div><div>pfSense-2 - Second routable IP block: <a href="http://189.189.189.189/" target="_blank">189.189.189.189/</a><b>27</b><br>
<br>They are totally different ranges but here is a diagram of my equipment:</div><div><br></div><div>ISP ====> Dumb Switch</div><div> | |</div><div> pfSense1 pfSense-2 </div>
<div><br></div><div> ____|______________|____</div><div> | eth0 eth1 |</div><div> | |</div><div> |_______ProxMox _______|</div>
<div><br></div><div>I have vmbr0 just like yours and it got it's private IP of 192.168.5.5 and all containers through that bridge can obtain DHCP IP of range <a href="http://192.168.5.0/24" target="_blank">192.168.5.0/24</a>. I don't need to assign public IP addresses directly to containers. I can use pfSense to do the NAT forward.</div>
<div><br></div><div><br></div><div>So, how come your vmbr2 or vmbr3 have IPs assigned to them? Shouldn't they have IPs? Not that I care as my vmbr0 already gives me GUI access to Proxmox but I am wondering how it works.</div>
<div><br></div><div>So, I don't want to loose GUI access (that can be nightmare to me given it's a production server and no test servers here). Would I be safe if I just go ahead to GUI and create vmbr1 and then attach the 2nd pfSense to it?</div>
<div><br></div><div>****Given the two very different public IP ranges I receive from my ISP, can I still use VLANs? </div><div><br></div><div>Thanks again for all your patience. I am learning a lot.</div><div><br></div></div>
<div>
<br><br><div class="gmail_quote"><div>On Wed, Jun 13, 2012 at 2:14 PM, Guy <span dir="ltr"><<a href="mailto:guy@britewhite.net" target="_blank">guy@britewhite.net</a>></span> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div>ok let see if I can be clearer now that I'm reading this on a bigger screen :)<div><br></div><div><br></div><div>Your ISP has given you a second routable block of IPs correct? The next hope for both these network segments is the same correct (the Gateway that the pfsense points to on the WAN interface)? In which case I'm not really sure why you feel the need for another interface on your router. </div>
<div><br></div><div>Are you using NAT, or bridging the WAN interface? If NAT, ie the firewall is holding the IPs and your using private addresses internally then just carry on with that all will be well no need to do anything special.</div>
<div><br></div><div>On the proxmox side... you can create "Bridge" interfaces and not give the proxmox an IP on it. This is by far the best way. Just create a bunch of VLANS and then create the bridge interfaces inside proxmox, and push then to the correct VM image. On my Proxmox system I have this..</div>
<div><br></div></div><div><span><PastedGraphic-1.tiff></span></div><div><div><div><br></div><div>As you can see the bridge interface vmbr0 is the only one with an IP address.. This is the IP I talk to the proxmox with.. All the others are VLANS on my network, I then select the correct interface for the correct VM depending on where I want it to site in my network.</div>
<div><br></div><div>eg..</div><div> </div><div>vmbr1 is my DMZ network with NAT IP addresses... 192.168.55.x</div><div><br></div><div>vmbr10 is my WANBRIDGE interface and thus has public IP address directly on it for systems which I expose to the interface behind the pfsense firewall, which is the just doing ACL security and not NAT.</div>
<span><font color="#888888"><div><br></div><div><br></div><div>--Guy</div></font></span><div><div><div><br></div><div><div><div>On 13 Jun 2012, at 18:56, Bruce B wrote:</div><br><blockquote type="cite">
Guy,<div><br></div><div>Thanks for the input.</div><div><br></div><div>If I create a vmbr1 and then whenever I create a container can't I simply select vmbr1 as the venet or veth? Are you saying I have to change things on the host node (I'd like to stay away from that).</div>
<div><br></div><div>What is involved with pfSense vlans? My pfSense has 3 ports. My ISP gives two totally separate blocks of IPs to us (one is a /29 and other is a /27). The /29 right now is using WAN port on pfSense. LAN-1 port is going to Proxmox. I am only left with LAN-2. If I use that as WAN-2 then I don't have a LAN port left to connect to proxmox.</div>
<div><br></div><div>Do you see VLANs to be still easier for me to setup the /27 onto and managing overhead would be lower than getting a second router involved?</div><div><br></div><div>Best,<br><br><div class="gmail_quote">
On Wed, Jun 13, 2012 at 1:45 PM, Guy <span dir="ltr"><<a href="mailto:guy@britewhite.net" target="_blank">guy@britewhite.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div>Why not use VLANs on your pfsense firewall I do this all the time. </div><div><br></div><div>On a side note. You can't have two default routes. You can add routes to specific networks. As this is standard Debian you can google for details on setting that up<br>
<br>---Guy<div>(via iPhone)</div></div><div><div><div><br>On 13 Jun 2012, at 18:37, Bruce B <<a href="mailto:bruceb444@gmail.com" target="_blank">bruceb444@gmail.com</a>> wrote:<br><br></div><blockquote type="cite">
<div>Hi Everyone,<div><br></div><div>I have a SuperMicro server with two NIC ports on it. Eth0 is connected to a pfSense router and all the VM and Containers obtain DHCP IP from that router via Proxmox vmbr0. I want to add another router to the equation for redundancy and also because we got another block of IP addresses that I want to use. My current pfSense router doesn't have the ports needed to do the job so I need a second pfSense router for this. This is what I see in Network setup now:</div>
<div><br></div><div><div>Name:<span style="white-space:pre-wrap"> </span>Active:<span style="white-space:pre-wrap"> </span>Autostart:<span style="white-space:pre-wrap"> </span>Ports/Slaves:<span style="white-space:pre-wrap"> </span>Subnet <span style="white-space:pre-wrap"> </span>mask:<span style="white-space:pre-wrap"> </span>Gateway:</div>
<div>eth0<span style="white-space:pre-wrap"> </span> Yes<span style="white-space:pre-wrap"> </span> No</div><div>eth1<span style="white-space:pre-wrap"> </span> No<span style="white-space:pre-wrap"> </span> No</div>
<div>vmbr0<span style="white-space:pre-wrap"> </span>Yes<span style="white-space:pre-wrap"> </span> Yes<span style="white-space:pre-wrap"> </span>eth0<span style="white-space:pre-wrap"> </span>192.168.10.5<span style="white-space:pre-wrap"> </span>255.255.255.0<span style="white-space:pre-wrap"> </span>192.168.5.1</div>
</div><div><br></div><div><br></div><div>I have previously lost access to Proxmox GUI when turning on the eth1. I don't have the luxury of testing now. I have to do this precisely and correctly. So my questions are:</div>
<div><br></div><div>1- What files backup should I do first so that if I loose access to Proxmox GUI, I can restore them and do a "network restart" and get it all running to previous working state?</div><div>2- The new router will be supply <a href="http://192.168.20.0/24" target="_blank">192.168.20.0/24</a> IP ranges. After I connect it to eth1 port on the server, what should I do to turn it on.</div>
<div>3- Once it's setup, how do I go about dictating which VM or Container should obtain IP from which interface? do I need a vmbr1?</div><div><br></div><div>Thanks</div>
</div></blockquote></div></div><blockquote type="cite"><div><span>_______________________________________________</span><br><span>pve-user mailing list</span><br><span><a href="mailto:pve-user@pve.proxmox.com" target="_blank">pve-user@pve.proxmox.com</a></span><br>
<span><a href="http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user" target="_blank">http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user</a></span><br></div></blockquote></div></blockquote></div><br></div>
</blockquote></div><br></div></div></div></div></div></div></blockquote></div><br></div>
</blockquote></div><br></div></div></blockquote></div><br></div>
</blockquote></div><br></div></body></html>