11-28-2024 06:49 AM
Hi Everyone,
I'm currently studying computer engineering and have a project in which I'm trying to create a model of a fully redundant and secure network topology within GNS3. The secure part can wait because right now I'm just trying to get everything to work, however I'm getting very confused when it comes to the configuration between my Firewalls (edge devices) and Core Switches. I've had experience with GNS3 and managing parts of a real network in the past, but unfortunately it was for a small company and as such they didn't use full redundancy.
My current network in GNS3 looks as follows:
I have two PFSense firewalls connected to a cloud in GNS3 for outbound connections (ISP.) These firewalls utilise the CARP protocol, and I have a VIP created on both the WAN (em0), DMZ (em5) and LAN (e3 and e3) ports. My main question is regarding the two Core switches (swWarszawaCore1 & 2) and the firewalls (PFSense-1 & 2).
I want full redundancy between all 4 devices, and my initial thought is to have VRRP configured on the Core Switches and CARP on the Firewalls. I have ports e3 & e4 on both firewalls bundled into a LAGG port, called port 1. PFSense-1 lagg1 has 192.168.11.2/29 assigned to it and PFSense-2 lagg1 has 192.168.11.3/29 assigned to it. The VIP configured for these ports is 192.168.11.1. The etherchannel uses LACP.
On the core switches, connected to lagg1 on the firewalls, I have port-channel1 configured using LACP. I configured an SVI for VLAN 14 on each switch, and configured port-channel1 as an access port for VLAN 14. The VLAN 14 SVI on Core1 is configured with 192.168.11.4/29 and Core2 is configured with 192.168.11.5/29. The VIP configured (using VRRP) for the VLAN 14 SVI is 192.168.11.6.
Okay great, so from swCore1 I can ping 192.168.11.2 (the directly upstream firewall IP in the same subnet), but I cannot ping the VIP. I have a feeling it is because I haven't configured the "crossed" interfaces yet, eth1/3 on the core switches.
I don't really know how this should be configured, and I'm not even sure my current approach is correct; any recommendations or help that could be provided would be greatly appreciated, as I don't know how to proceed from here.
I'm happy to dump configs if requested.
Solved! Go to Solution.
11-28-2024 07:08 AM
two solution here
1- use standalone FW
in this solution
A-A- FW use VIP of HSRP in static route toward Core SW
A-B-Core SW use defualt route toward both FW but one with high AD
B-A- FW use IGP and inject default route into Core
2- FW run HA
MHM
11-28-2024 07:08 AM
two solution here
1- use standalone FW
in this solution
A-A- FW use VIP of HSRP in static route toward Core SW
A-B-Core SW use defualt route toward both FW but one with high AD
B-A- FW use IGP and inject default route into Core
2- FW run HA
MHM
11-29-2024 04:27 AM
Dear MHM,
Thank you very much for the prompt response; I have been reviewing the topology and settings today and I think that I have decided to give up on using the CARP (basically HSRP) protocol on the firewalls. The VIP of the firewalls on the LAN side is completely unreachable, even with allow any security rules and connectivity to the physical IP addresses 192.168.11.2 & 3. I'm not sure if this a GNS3 simulation issue, a Layer 8 issue (I wouldn't be surprised) or a PFSense issue, but regardless, I need to make more progress.
My plan is to configure option A - Configure a static route on the firewalls to use the VIP of the core switches when sending packets to clients and also configure 2 default routes on the core switches, one with a higher Administrative Distance.
I might configure something like OSPF In the future if I get the concept working with static routing.
I assume the connections between:
1. CoreSwitch1 and Firewall2
2. CoreSwitch 2 and Firewall1
Should be a L3 connection for the double default routes - if you think I've missunderstood anything then please pop a quick response over, otherwise this has been solved!
Thank you very much,
Callum
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide