Date: Wed, 30 Dec 2009 10:12:29 -0600 From: Tom Judge <tom@tomjudge.com> To: kevin <k@kevinkevin.com> Cc: freebsd-pf@freebsd.org Subject: Re: PF Transparent Bridge Firewall + CARP Message-ID: <4B3B7BED.3080702@tomjudge.com> In-Reply-To: <013801ca8922$a5b50dc0$f11f2940$@com> References: <003001ca7cdc$0b530540$21f90fc0$@com> <4B2924D4.9010207@tomjudge.com> <005501ca7e85$7bb28e50$7317aaf0$@com> <013801ca8922$a5b50dc0$f11f2940$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 30/12/2009 01:35, kevin wrote: >> -----Original Message----- >> From: Tom Judge >> Sent: Wednesday, December 16, 2009 1:20 PM >> To: Kevin >> Cc: freebsd-pf@freebsd.org >> Subject: Re: PF Transparent Bridge Firewall + CARP >> >> [router] >> | >> [------switch 1------] >> | | >> [FW1]--{pfsync}--[FW2] >> | | >> [------switch 2------] >> | >> [clients] >> > > I have a really stupid question. If I have a switch with 2 VLANS (one DMZ / > 'outside', one internal / 'lan') and two firewalls with transparent bridging > + PF , filtering all inbound/outbound traffic -- would I even need CARP? Is > CARP overkill? > > I'm thinking in a disaster recovery scenario -- if one firewall blows up. > There's no logical master/slave relationship, but wouldn't there be minimal > (if any) downtime? > > You don't need carp here if your firewalls are bridges. Your main issue is that you only have one switch, the simplest redundant solution is 2 bridges running spanning tree. Tom
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B3B7BED.3080702>