Date: Wed, 30 Dec 2009 02:35:21 -0500 From: "kevin" <k@kevinkevin.com> To: "'Kevin'" <k@kevinkevin.com> Cc: freebsd-pf@freebsd.org Subject: RE: PF Transparent Bridge Firewall + CARP Message-ID: <013801ca8922$a5b50dc0$f11f2940$@com> In-Reply-To: <005501ca7e85$7bb28e50$7317aaf0$@com> References: <003001ca7cdc$0b530540$21f90fc0$@com> <4B2924D4.9010207@tomjudge.com> <005501ca7e85$7bb28e50$7317aaf0$@com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message-----
> From: Tom Judge
> Sent: Wednesday, December 16, 2009 1:20 PM
> To: Kevin
> Cc: freebsd-pf@freebsd.org
> Subject: Re: PF Transparent Bridge Firewall + CARP
>
> [router]
> |
> [------switch 1------]
> | |
> [FW1]--{pfsync}--[FW2]
> | |
> [------switch 2------]
> |
> [clients]
I have a really stupid question. If I have a switch with 2 VLANS (one DMZ /
'outside', one internal / 'lan') and two firewalls with transparent bridging
+ PF , filtering all inbound/outbound traffic -- would I even need CARP? Is
CARP overkill?
I'm thinking in a disaster recovery scenario -- if one firewall blows up.
There's no logical master/slave relationship, but wouldn't there be minimal
(if any) downtime?
I'm starting to notice that carp doesn't play nicely with bridging , nor is
there any carpdev implementation for manually specifying physical interfaces
for the redundancy group -- especially necessary if multiple interfaces are
on the same subnet.
All I want is simple redundancy.
Suggestions / ideas / comments are welcome.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013801ca8922$a5b50dc0$f11f2940$>