From owner-freebsd-pf@FreeBSD.ORG Wed Feb 16 16:10:42 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 84060106564A for ; Wed, 16 Feb 2011 16:10:42 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-bw0-f54.google.com (mail-bw0-f54.google.com [209.85.214.54]) by mx1.freebsd.org (Postfix) with ESMTP id 1D3B18FC17 for ; Wed, 16 Feb 2011 16:10:41 +0000 (UTC) Received: by bwz12 with SMTP id 12so1599735bwz.13 for ; Wed, 16 Feb 2011 08:10:41 -0800 (PST) Received: by 10.204.71.141 with SMTP id h13mr635143bkj.180.1297872640444; Wed, 16 Feb 2011 08:10:40 -0800 (PST) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id u23sm242120bkw.21.2011.02.16.08.10.38 (version=SSLv3 cipher=OTHER); Wed, 16 Feb 2011 08:10:39 -0800 (PST) Message-ID: <4D5BF6FE.8090704@my.gd> Date: Wed, 16 Feb 2011 17:10:38 +0100 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: kevin References: <00a401cbcd3d$fe313d10$fa93b730$@com> <4D5BD4E6.90605@my.gd> <00cf01cbcdf2$d54f6100$7fee2300$@com> In-Reply-To: <00cf01cbcdf2$d54f6100$7fee2300$@com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 16:10:42 -0000 On 2/16/11 5:01 PM, kevin wrote: >> If you have only 1 upstream interconnection, this won't be a problem for >> you. > > These boxes are in a collocation facility, in a data center. There are > multiple upstream providers, but I am using the data center's default > gateways for each allocated subnet. So I imagine the routing to the multiple > upstreams would be done after being routed via their gateway. > If you only have one gateway, then you have nothing to worry about for this part. >> Wait do you want to route or to NAT ? > > I want to route. I don't want to nat. My mistake for misleading. Each device > behind this firewall is a dedicated server in a data center. They need to > transparently maintain connectivity to the outside world and from the > outside world. > Then your static routes should work just fine, really. Alternatively you can use PF's route-to option in your pass rules, but that would likely be harder to maintain (just like our reply-to rules are). > >> I think it all depends on whether you have multiple upstream connections >> or not, as I pointed out above. > > I suppose I would have to confirm this with my data center's networking > department. I would imagine that it would be standard practice for them to > handle the multiple upstreams themselves. > Again if you only have a single gateway from the datacenter guys, nothing to worry about for you. > To give you a little background, I am currently utilizing two transparent > bridging firewalls at the moment. Unfortunately one of the firewalls will > completely lock up with no console messages if they both are on. The idea is > to employ carp + pf to maintain some sort of automated failover mechanism > instead of a cold standby. > If you expect a lot of traffic, I recommend you do NOT use pfsync to synchronize existing sessions on the backup firewall. Of course the side effect will be that should the master fail, all the active connections will be dropped and will have to be established again on the standby firewall. > At the same time I don't want to change the architecture of my internal > network more than perhaps modifying the default gateways configured on each > device. > > > Your help is appreciated, > > Kevin > >