On 12 May 2013, at 16:25, Jason Pyeron <jpye...@pdinc.us> wrote: > Is the instructions in #4 the best way to do this, and are there updates > (since > 2006) I should be aware of when following those instructions?
I run a couple of these configurations for clients. > > Things I read first: > 1: > http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync&sektion=4&manpath=OpenBSD+5. > 3 > 2: http://www.openbsd.org/faq/pf/carp.html#pfsyncop 3 looks like what I have although there wasn't this much info around when I set these systems up. > 3: > http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) Main thing is that everything is less predictable, test every rule every which way before deploying. I stick to floating rules and tie the rules to interfaces rather than using the WAN, LAN etc rule sets, sometimes the bridge has a different idea of which interface you mean. The chapter in the PfSense book is very helpful too. > 4: http://www.seattlecentral.edu/~dmartin/docs/bridge.html Yes, be very very sure about your STP (RSTP) and where your root is and who controls it. I haven't tried the devd bridge tweak that Chris refers to but I suspect it would make life a lot easier. I've never managed to get DHCP to behave correctly on any bridged interfaces, hopefully you don't need it? I haven't gone to 2.0.3 yet as dhcpd runs crazy in this configuration on 2.0.3, I need it on a natted interface. BTW don't mix bridging and natting on the same firewall that's really problematic. Lastly pester, pester, pester your ISP into giving you a router connect subnet /29 etc. so you don't have to bridge! I'm hoping to achieve this later this year after 3 years of nannying a redundant bridge firewall on a site with gigabit traffic and I'll be very relieved when it finally happens. Andre > > -Jason > > -- > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > - - > - Jason Pyeron PD Inc. http://www.pdinc.us - > - Principal Consultant 10 West 24th Street #100 - > - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - > - - > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > This message is copyright PD Inc, subject to license 20080407P00. > > > _______________________________________________ > List mailing list > List@lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
