On 20-3-2013 0:29, Zach Underwood wrote: > I am setting up a pair of pfsense servers in front of a web hosting > setup. I have two firewalls, two network switches(layer 3 stacked), and > two isp links using BGP. I plan on using OSPF on the network switches to > pass the routeing tables to pfsense. The way I am think of doing is this > way > https://docs.google.com/drawings/d/1AE-Uif6n0qrFxnDp6JkxUPaYEwVZJoa69pnCMAIW-4E/edit?usp=sharing > . Is this the best way or there a better way.
Indeed it looks right from here. The situation will be as follows, you setup a iBGP or OSPF between the 2 pfSense hosts. Careful with OSPF that you don't accidentally export internal routes to BGP. Each pfSense node should have 1 session with a BGP peer but a shared LAN CARP address. You should never tie the BGP session to a CARP address, and often that isn't even possible because you get a unrouteable /30 uplink anyhow. - If a pfSense node fails, internal BGP/OSPF will re-route the traffic out the other pipe. - If a BGP session drops, internal BGP/OSPF will re-route the traffic. - LAN hosts always use the CARP address as the gateway. - You can not stateful firewall on the pfSense nodes, traffic is inherently asymmetric when using BGP. (e.g. traffic goes out BGP1 but returns on BGP2) Regards, Seth _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
