Date: Wed, 16 Dec 2009 18:20:04 +0000 From: Tom Judge <tom@tomjudge.com> To: Kevin <k@kevinkevin.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF Transparent Bridge Firewall + CARP Message-ID: <4B2924D4.9010207@tomjudge.com> In-Reply-To: <003001ca7cdc$0b530540$21f90fc0$@com> References: <003001ca7cdc$0b530540$21f90fc0$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin wrote: > >> -----Original Message----- >> From: Kevin [mailto:k@kevinkevin.com] >> I have what I would consider not a standard firewall scenario that >> requires a second, redundant PF firewall. My first / main firewall is >> pf + transparent bridging with no internal network / ip addresses. > > > I realize that carp would require an ip address on both interfaces to work > properly... this is correct, right? Could I just assign the 1 ip address / > gateway on the bridge0 interface and add a carp interface to fail that over > to the 2nd firewall? This would be easier to do with spanning tree: [router] | [------switch 1------] | | [FW1]--{pfsync}--[FW2] | | [------switch 2------] | [clients] Then you can leave carp out of the equation and your network would be the same as before. FW1 /etc/rc.conf: cloned_interfaces="bridge0" ifconfig_em0="up -tso" ifconfig_em1="up -tso" ifconfig_em2="inet 192.168.255.1/30" ifconfig_bridge0="up addm em0 stp em0 addm em1 stp em1" pfsync_enable="YES" pfsync_syncdev="em2" pfsync_ifconfig="syncpeer 192.168.255.2" FW2 /etc/rc.conf: cloned_interfaces="bridge0" ifconfig_em0="up -tso" ifconfig_em1="up -tso" ifconfig_em2="inet 192.168.255.2/30" ifconfig_bridge0="up addm em0 stp em0 addm em1 stp em1" pfsync_enable="YES" pfsync_syncdev="em2" pfsync_ifconfig="syncpeer 192.168.255.1" Make sure that the spanning tree priority on either switch side is higher (smaller number) than the bridges so that they will remain the root bridges. Tom - -- TJU13-ARIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLKSTUAAoJEMSwVS7lr0OdVpMH/A1zQdIxKTiwm12dIklzCg4w CFp09ZPQEK3zjkes2qUpf6VGvg88rhhQE6iMn/BLIYhpdsqmoejHB2a3k397/qKq yevnl4iyB2xaOTZhbIufasI+dtMy1t30ZET4NlMSFZKEsIm6KQGVX8Il2DqyW2AB xW79glm6/YSHUnBCcL9UGEQzIOtkeqsApNAGIQc2TWvQUz0z7jbKaBU72dhl/Yni +ys3tG7/4m4/2ybMVNW+pjs4/TlEwz31HOgM96MfEkgl0xss4k249kSSnYvn5SZ5 lqre6l+xU2WgSVVXydzIJPNNYSThZrJhTfRNYMBv0bF0covT9aZ2IPzLxoqNeAg= =KoIu -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B2924D4.9010207>