I've been reading about and want to set up a set of (2) carp/pf/pfsync
redundant firewalls but I haven't seen anything in the docs or on the
list similar to what i'm hoping to accomplish so here goes:
I'm horrible at ascii art so i'll try to describe the scenario as best i
can:
2 firewalls, each firewall will have 4 interfaces, san0(wan),
fxp0(backup/redundant/load balancing wan , fxp1(dmz) and fxp2(lan).
From what I have read in the docs and from questions that other people
have asked I think I have a handle on the lan, dmz interfaces and maybe
even the fxp0 wan interface, but I'm wondering about the san0 interfaces.
Can they be carped? My idea was to run the cable from the telco into a
switch/hub and then carp the san0 interfaces, but I'm not sure if it
will work and I don't have a spare t1 to test it.
Here is what I'm hoping to accomplish in order of priority:
1. redundancy in the firewalls, one goes down, keep the connections to
the dmz and internet alive (incoming and outgoing)
2. uplink redundancy/failover.. if the main t1 (provided by the san0
int) goes down, detect that and route out the fxp0 int instead.
fxp0 is connected to a frac. t1 via csu/dsu. I'm not worried
about incoming load balancing or routing connections as I am serving dns
with short ttls (one dns sever out each of my uplinks) that has been
providing redundancy to my dmz hosts as long as at least one of my links
are up..
a. ideal but not mandatory to get things going, i'd like to be able
to route out both wan interfaces from the lan to increase downloads.
the backup is a smaller(256k vs. full t1 on main wan int) connection
though, so would i have to set up queuing? I would hate to pull from
the backup when i have more than 256k available on the t1
I hope I have included enough info to get some insight on this, if not
please ask. My biggest concern here is whether or not i can carp the
san interfaces and if not, is there anyway to accomplish this scenario
without running the t1 into a dedicated router before it goes into the
firewall.
Last bit of this, mixed in with all of the things I have been reading i
see "route to" and ifstated mentioned a lot. Would I need to be using
ifstated to get the failover working for the two wan interfaces so
traffic wouldn't get blackholed? Would I need routeto in my pf.conf to
get load balancing working or...........
Thanks in advance.
Aaron
