Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 16 Dec 2009 18:20:04 +0000
From:      Tom Judge <tom@tomjudge.com>
To:        Kevin <k@kevinkevin.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: PF Transparent Bridge Firewall + CARP
Message-ID:  <4B2924D4.9010207@tomjudge.com>
In-Reply-To: <003001ca7cdc$0b530540$21f90fc0$@com>
References:  <003001ca7cdc$0b530540$21f90fc0$@com>
next in thread | previous in thread | raw e-mail | index | archive | help 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Kevin wrote:
> 
>> -----Original Message-----
>> From: Kevin [mailto:k@kevinkevin.com]
>> I have what I would consider not a standard firewall scenario that
>> requires a second, redundant PF firewall. My first / main firewall is
>> pf + transparent bridging with no internal network / ip addresses.
> 
> 
> I realize that carp would require an ip address on both interfaces to work
> properly... this is correct, right? Could I just assign the 1 ip address /
> gateway on the bridge0 interface and add a carp interface to fail that over
> to the 2nd firewall?

This would be easier to do with spanning tree:

       [router]
          |
[------switch 1------]
  |                |
[FW1]--{pfsync}--[FW2]
  |                |
[------switch 2------]
          |
      [clients]


Then you can leave carp out of the equation and your network would be
the same as before.

FW1 /etc/rc.conf:

cloned_interfaces="bridge0"
ifconfig_em0="up -tso"
ifconfig_em1="up -tso"
ifconfig_em2="inet 192.168.255.1/30"
ifconfig_bridge0="up addm em0 stp em0 addm em1 stp em1"
pfsync_enable="YES"
pfsync_syncdev="em2"
pfsync_ifconfig="syncpeer 192.168.255.2"

FW2 /etc/rc.conf:
cloned_interfaces="bridge0"
ifconfig_em0="up -tso"
ifconfig_em1="up -tso"
ifconfig_em2="inet 192.168.255.2/30"
ifconfig_bridge0="up addm em0 stp em0 addm em1 stp em1"
pfsync_enable="YES"
pfsync_syncdev="em2"
pfsync_ifconfig="syncpeer 192.168.255.1"

Make sure that the spanning tree priority on either switch side is
higher (smaller number) than the bridges so that they will remain the
root bridges.

Tom

- --
TJU13-ARIN
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJLKSTUAAoJEMSwVS7lr0OdVpMH/A1zQdIxKTiwm12dIklzCg4w
CFp09ZPQEK3zjkes2qUpf6VGvg88rhhQE6iMn/BLIYhpdsqmoejHB2a3k397/qKq
yevnl4iyB2xaOTZhbIufasI+dtMy1t30ZET4NlMSFZKEsIm6KQGVX8Il2DqyW2AB
xW79glm6/YSHUnBCcL9UGEQzIOtkeqsApNAGIQc2TWvQUz0z7jbKaBU72dhl/Yni
+ys3tG7/4m4/2ybMVNW+pjs4/TlEwz31HOgM96MfEkgl0xss4k249kSSnYvn5SZ5
lqre6l+xU2WgSVVXydzIJPNNYSThZrJhTfRNYMBv0bF0covT9aZ2IPzLxoqNeAg=
=KoIu
-----END PGP SIGNATURE-----

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B2924D4.9010207>