Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 Feb 2011 17:10:38 +0100
From:      Damien Fleuriot <ml@my.gd>
To:        kevin <k@kevinkevin.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Questions about PF + Multiple gateways + CARP on a public ip network
Message-ID:  <4D5BF6FE.8090704@my.gd>
In-Reply-To: <00cf01cbcdf2$d54f6100$7fee2300$@com>
References:  <00a401cbcd3d$fe313d10$fa93b730$@com> <4D5BD4E6.90605@my.gd> <00cf01cbcdf2$d54f6100$7fee2300$@com>

next in thread | previous in thread | raw e-mail | index | archive | help
On 2/16/11 5:01 PM, kevin wrote:
>> If you have only 1 upstream interconnection, this won't be a problem for
>> you.
> 
> These boxes are in a collocation facility, in a data center. There are
> multiple upstream providers, but I am using the data center's default
> gateways for each allocated subnet. So I imagine the routing to the multiple
> upstreams would be done after being routed via their gateway.
> 

If you only have one gateway, then you have nothing to worry about for
this part.


>> Wait do you want to route or to NAT ?
> 
> I want to route. I don't want to nat. My mistake for misleading. Each device
> behind this firewall is a dedicated server in a data center. They need to
> transparently maintain connectivity to the outside world and from the
> outside world.
> 

Then your static routes should work just fine, really.

Alternatively you can use PF's route-to option in your pass rules, but
that would likely be harder to maintain (just like our reply-to rules are).


> 
>> I think it all depends on whether you have multiple upstream connections
>> or not, as I pointed out above.
> 
> I suppose I would have to confirm this with my data center's networking
> department. I would imagine that it would be standard practice for them to
> handle the multiple upstreams themselves.
> 

Again if you only have a single gateway from the datacenter guys,
nothing to worry about for you.


> To give you a little background, I am currently utilizing two transparent
> bridging firewalls at the moment. Unfortunately one of the firewalls will
> completely lock up with no console messages if they both are on. The idea is
> to employ carp + pf to maintain some sort of automated failover mechanism
> instead of a cold standby.
> 

If you expect a lot of traffic, I recommend you do NOT use pfsync to
synchronize existing sessions on the backup firewall.

Of course the side effect will be that should the master fail, all the
active connections will be dropped and will have to be established again
on the standby firewall.


> At the same time I don't want to change the architecture of my internal
> network more than perhaps modifying the default gateways configured on each
> device. 
> 
> 
> Your help is appreciated,
> 
> Kevin
> 
> 



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D5BF6FE.8090704>