From owner-freebsd-cluster  Wed Dec 19 10:39:47 2001
Delivered-To: freebsd-cluster@freebsd.org
Received: from hermes.intergate.ca (hermes.intergate.ca [207.34.179.108])
	by hub.freebsd.org (Postfix) with SMTP id 0993137B41A
	for <freebsd-cluster@freebsd.org>; Wed, 19 Dec 2001 10:39:39 -0800 (PST)
Received: (qmail 98531 invoked by uid 1007); 19 Dec 2001 19:20:40 -0000
Received: from tim@ke.uu.net by hermes.intergate.ca with qmail-scanner-0.93 (uvscan: v4.0.50/v4176. . Clean. Processed in 0.745521 secs); 19/12/2001 11:20:40
Received: from gateway-208.181.231.146.intergate.ca (HELO r0u5c9.ke.uu.net) (208.181.231.146)
  by hermes.intergate.ca with SMTP; 19 Dec 2001 19:20:39 -0000
Message-Id: <5.1.0.14.0.20011219102837.0244c980@pop.uunet.co.ke>
X-Sender: tpriebe@pop.uunet.co.ke
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Wed, 19 Dec 2001 10:34:50 -0800
To: Fabrizio Ravazzini <freefabri@yahoo.it>,
	freebsd-cluster@freebsd.org
From: Tim Priebe <tim@ke.uu.net>
Subject: Re: Bridge/Firewall cluster?
Cc: freebsd-isp@freebsd.org
In-Reply-To: <20011217083812.63311.qmail@web20108.mail.yahoo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format=flowed
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-cluster@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-cluster.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-cluster>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-cluster>
X-Loop: FreeBSD.ORG

The problem with this is it would duplicate packets. My solution to this=20
was to not use bridging, but to route through the firewall, using dynamic=20
routing. As long as everything in the DMZ can understand some routing=20
protocol you will be fine. The Cisco advertises default to the two=20
firewalls, and the firewalls redistribute learned and directly connected=20
routes. You can limit which hosts you learn routes from in your firewall=20
rules, depending on the protocol used.

Tim.

At 09:38 AM 12/17/01 +0100, Fabrizio Ravazzini wrote:
>Hello all I've done a bridge/firewall to connect a dmz
>to Internet,this is the scheme:
>
>              Internet
>                |
>                |
>              Router cisco
>                |
>                | rl0
>             Fbsd bridge/FW
>                | rl1
>                |
>               DMZ
>
>The public ip of the cisco is like 200.20.20.1
>Then rl0 200.20.20.3.
>I want to make this bridge high available putting
>another freebsd bridge machine so that if one goes
>down   there is the other and the dmz is still
>available.
>Can I put another Fbsd bridge between the cisco and
>the dmz like this scheme:
>
>
>              Internet
>                |
>                |
>              Router cisco
>                |
>                |________________
>                | rl0            |
>               Fbsd              |ed0
>             bridge/FW          Fbsd
>                | rl1           Bridge/FW
>                |________________|
>                |
>               DMZ
>
>For example ed0 could be 200.20.20.5, perhaps is
>stupid question, but can it works?
>Or is there other solutions?
>Any help would be appreciated.
>Bye
>
>
>______________________________________________________________________
>
>Iscriviti al Meglio della Settimana, la newsletter di Yahoo!
>Per saperne di pi=F9 vai alla pagina: http://buongiorno.yahoo.it
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-isp" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-cluster" in the body of the message