From owner-freebsd-pf@FreeBSD.ORG Wed Dec 16 18:37:46 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C10D31065695 for ; Wed, 16 Dec 2009 18:37:46 +0000 (UTC) (envelope-from tom@tomjudge.com) Received: from tomjudge.vm.bytemark.co.uk (tomjudge.vm.bytemark.co.uk [80.68.91.100]) by mx1.freebsd.org (Postfix) with ESMTP id 83AFC8FC21 for ; Wed, 16 Dec 2009 18:37:46 +0000 (UTC) Received: from localhost (localhost.localdomain [127.0.0.1]) by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id B7D3A48B2C; Wed, 16 Dec 2009 18:21:35 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at tomjudge.vm.bytemark.co.uk Received: from tomjudge.vm.bytemark.co.uk ([127.0.0.1]) by localhost (tomjudge.vm.bytemark.co.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ISQdfkBcLoV8; Wed, 16 Dec 2009 18:21:32 +0000 (GMT) Received: from rita.nodomain (unknown [192.168.205.6]) by tomjudge.vm.bytemark.co.uk (Postfix) with ESMTP id 8A57548B26; Wed, 16 Dec 2009 18:21:30 +0000 (GMT) Message-ID: <4B2924D4.9010207@tomjudge.com> Date: Wed, 16 Dec 2009 18:20:04 +0000 From: Tom Judge User-Agent: Thunderbird 2.0.0.23 (X11/20090822) MIME-Version: 1.0 To: Kevin References: <003001ca7cdc$0b530540$21f90fc0$@com> In-Reply-To: <003001ca7cdc$0b530540$21f90fc0$@com> X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: PF Transparent Bridge Firewall + CARP X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Dec 2009 18:37:46 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin wrote: > >> -----Original Message----- >> From: Kevin [mailto:k@kevinkevin.com] >> I have what I would consider not a standard firewall scenario that >> requires a second, redundant PF firewall. My first / main firewall is >> pf + transparent bridging with no internal network / ip addresses. > > > I realize that carp would require an ip address on both interfaces to work > properly... this is correct, right? Could I just assign the 1 ip address / > gateway on the bridge0 interface and add a carp interface to fail that over > to the 2nd firewall? This would be easier to do with spanning tree: [router] | [------switch 1------] | | [FW1]--{pfsync}--[FW2] | | [------switch 2------] | [clients] Then you can leave carp out of the equation and your network would be the same as before. FW1 /etc/rc.conf: cloned_interfaces="bridge0" ifconfig_em0="up -tso" ifconfig_em1="up -tso" ifconfig_em2="inet 192.168.255.1/30" ifconfig_bridge0="up addm em0 stp em0 addm em1 stp em1" pfsync_enable="YES" pfsync_syncdev="em2" pfsync_ifconfig="syncpeer 192.168.255.2" FW2 /etc/rc.conf: cloned_interfaces="bridge0" ifconfig_em0="up -tso" ifconfig_em1="up -tso" ifconfig_em2="inet 192.168.255.2/30" ifconfig_bridge0="up addm em0 stp em0 addm em1 stp em1" pfsync_enable="YES" pfsync_syncdev="em2" pfsync_ifconfig="syncpeer 192.168.255.1" Make sure that the spanning tree priority on either switch side is higher (smaller number) than the bridges so that they will remain the root bridges. Tom - -- TJU13-ARIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLKSTUAAoJEMSwVS7lr0OdVpMH/A1zQdIxKTiwm12dIklzCg4w CFp09ZPQEK3zjkes2qUpf6VGvg88rhhQE6iMn/BLIYhpdsqmoejHB2a3k397/qKq yevnl4iyB2xaOTZhbIufasI+dtMy1t30ZET4NlMSFZKEsIm6KQGVX8Il2DqyW2AB xW79glm6/YSHUnBCcL9UGEQzIOtkeqsApNAGIQc2TWvQUz0z7jbKaBU72dhl/Yni +ys3tG7/4m4/2ybMVNW+pjs4/TlEwz31HOgM96MfEkgl0xss4k249kSSnYvn5SZ5 lqre6l+xU2WgSVVXydzIJPNNYSThZrJhTfRNYMBv0bF0covT9aZ2IPzLxoqNeAg= =KoIu -----END PGP SIGNATURE-----