I'm currently looking at growing my simple co-located setup of a single OpenBSD web server to add a separate firewall and a second web server. This would make regular upgrades much less stressful and add some welcome high availability and capacity improvements.
I'm considering running dual OpenBSD firewalls on e.g. ALIX.2d3 boards with CARP and pfsync. My question relates to linking the firewalls to the servers via switches in a sensible way. I should be able to avoid the need for a switch on the upstream side by getting the ISP to provide me with two links from the rack router, one for each firewall board. These links would be CARP'd to share one external static IP. The second ethernet port on each board would be linked to the other board in the pair for pfsync. My question relates to the third port on each board, making up the CARP'd internal interface on the DMZ side. How can I avoid plugging these two ports straight into the same switch, thereby adding a really obvious single point of failure to the entire setup? I can see a couple of options but I'm thinking I must be missing something obvious. 1. Rather than CARPing the interfaces on the DMZ side, they could simply be treated as two separate gateways. Each would connect to its own switch and the servers on the inside would select between them as per RFC816. I'm not even sure this would work because if a switch failed, the firewalls would have to somehow transfer master/slave status to match. 2. Set up a couple of RSTP switches and somehow connect the CARP'd internal interface to both of them. Connect the web servers to both switches and configure just the one gateway on them. I can find heaps of good information on CARP but the described setups always show just one switch in the DMZ. Do people really just accept that single point of failure? Regards, Sam