alexander lind wrote:
quoted text
> On Aug 20, 2008, at 12:06 AM, Marco Fretz wrote:
> 
>>> Is it possible to have two OpenBSD bridging firewalls work together
>>> with CARP now?
>>
>> What do you mean by "work together"? Only fail-over? load-share?
> 
> Fail-over is my primary concern.
> 
>>>
>>> Update the ifp of bridge cache entries if the entry is not static.
>>> This makes carp(4) fail-over work over bridge(4).
>>
>> I think this means only that it is possible to use carp over bridges,
>> not for bridges. but maybe I'm wrong. :-)
> 
> Ah, that makes sense I suppose since I can't find many references to
> this particular scenario elsewhere!
> 
>>> So my question is, am I understanding this right if I say that it is
>>> indeed possible to set up a pair of redundant carped firewalls using
>>> OpenBSD 4.2 or above?
>>
>> Bridges are layer 2, carp is layer 3 (it shares IP addresses). So carp
>> can not handle this by its nature I think. Just place the both bridges
>> in your LAN and you have your fail-over solution. I've never done
>> something with openbsd bridges but as I know it from bridge-utils from
>> linux you can set STP priority and costs to influence spanning tree path
>> selection. Of course your LAN switch should be capable of basic
>> spanning-tree functions as well.
>>
>> after the first bridge goes down, spanning tree takes automatically the
>> next best path by setting the needed switchports to forward (instead of
>> blocking).
> 
> This sounds like the best route for us. I will experiment and see if I
> can get it working like this later today.
> 
> Thanks for your advice! 

Your welcome. Let me know if it's working or not. I've never done it
myself but I'm also interested in bridging firewall clusters...

bests
 marco

quoted text
> 
> Alec