From owner-freebsd-hackers  Thu May  2 10:12:21 2002
Delivered-To: freebsd-hackers@freebsd.org
Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22])
	by hub.freebsd.org (Postfix) with ESMTP id 1AF5837B400
	for <freebsd-hackers@freebsd.org>; Thu,  2 May 2002 10:12:17 -0700 (PDT)
Received: from pool0542.cvx22-bradley.dialup.earthlink.net ([209.179.200.32] helo=mindspring.com)
	by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #2)
	id 173K7p-0004lf-00; Thu, 02 May 2002 10:12:14 -0700
Message-ID: <3CD17351.893F80A3@mindspring.com>
Date: Thu, 02 May 2002 10:11:45 -0700
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Bogdan TARU <bgd@icomag.de>
Cc: freebsd-hackers@FreeBSD.ORG
Subject: Re: network design
References: <20020502180817.K22759-100000@fw.cgn.icom>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-hackers.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-hackers>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-hackers>
X-Loop: FreeBSD.ORG

Bogdan TARU wrote:
>  I have an unusual question, and hope I'll find the answer on this list. I
> would like to build a redundant structure of firewalls (2 of them), and I
> really don't have any idea on how to do that. What I would like is a
> scheme like:

[ ... picture ... ]

>  But the real question is: how do I assign the same IP address to two
> interfaces connected to the same hub(s) or switch(es)? I guess this will
> provide the best redundancy. Any such software? If not, could you describe
> an alternative for it, or point me to some resources?

You want VRRP -- Virtual Router Redundancy Protocol.  This
works best with gigabit ethernet cards, which support multiple
MAC addresses.  Do a net search on:

	FreeBSD VRRP

Unfortunately, the FreeBSD ethernet interface isn't terribly
smart.  Ideally, it would provide a virtual interface per VIP,
all the way down to the card; it doesn't.

The typical solution used is to blatantly kludge the multicast
mask in the hardware, and then that leaves the card in a half-baked
"half promiscuous" mode.

-- Terry

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message