Date: Wed, 30 Dec 2009 10:12:29 -0600 From: Tom Judge <tom@tomjudge.com> To: kevin <k@kevinkevin.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF Transparent Bridge Firewall + CARP Message-ID: <4B3B7BED.3080702@tomjudge.com> In-Reply-To: <013801ca8922$a5b50dc0$f11f2940$@com> References: <003001ca7cdc$0b530540$21f90fc0$@com> <4B2924D4.9010207@tomjudge.com> <005501ca7e85$7bb28e50$7317aaf0$@com> <013801ca8922$a5b50dc0$f11f2940$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30/12/2009 01:35, kevin wrote:
>> -----Original Message-----
>> From: Tom Judge
>> Sent: Wednesday, December 16, 2009 1:20 PM
>> To: Kevin
>> Cc: freebsd-pf@freebsd.org
>> Subject: Re: PF Transparent Bridge Firewall + CARP
>>
>> [router]
>> |
>> [------switch 1------]
>> | |
>> [FW1]--{pfsync}--[FW2]
>> | |
>> [------switch 2------]
>> |
>> [clients]
>>
>
> I have a really stupid question. If I have a switch with 2 VLANS (one DMZ /
> 'outside', one internal / 'lan') and two firewalls with transparent bridging
> + PF , filtering all inbound/outbound traffic -- would I even need CARP? Is
> CARP overkill?
>
> I'm thinking in a disaster recovery scenario -- if one firewall blows up.
> There's no logical master/slave relationship, but wouldn't there be minimal
> (if any) downtime?
>
>
You don't need carp here if your firewalls are bridges. Your main issue
is that you only have one switch, the simplest redundant solution is 2
bridges running spanning tree.
Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B3B7BED.3080702>