Am 20.07.2011 00:31, schrieb Kapetanakis Giannis:
> On 19/07/11 20:03, Joerg Streckfuss wrote:
>> Hi list,
>>
>> i have the following testsetup with four firewall nodes connected to three
>> networks:
>>
>>
>> network A
>> |--------------------------------------|
>> | | CARP | |
>> | | | |
>> +--+--+ +--+--+ +--+--+ +--+--+
>> | fw1 | | fw2 | | fw3 | | fw4 |
>> +--+--+ +--+--+ +--+--+ +--+--+
>> | | | |
>> | CARP | | CARP |
>> |--------------| |--------------|
>> network B network C
>>
>>
>> As you can see all four nodes are connected to network A but only fw1 and fw2
>> are connected to network B. On the other side only fw3 and fw4 are connected
>> to
>> network C.
>>
>> For network A all nodes form a CARP cluster. The order of priority for which
>> node is in master mode is: fw1 -> fw2 -> fw3 -> fw4.
>> For network B fw1 and fw2 form a CARP cluster and order of priority is fw1 ->
>> fw2. And last but not least for network C fw3 and fw4 form a CARP cluster and
>> order of priority is fw3 -> fw4. Preempting is active on all nodes.
>>
>> The point which gives me a headache is that normaly fw3 is master for
>> network C
>> but backup for network A. Not very suprising.
>> I know this is a very uncommon setup but it works for me for many days know.
>> A failover to node fw3 respectively fw4 on network A performs as expected.
>> Are there any possible site effects i have overlooked.
>>
>> Many thanks in advance,
>>
>> Joerg
>
> If fw1 is master for network A, how do you route traffic from A to C?
This is not really a problem because it is not required. On of the main
requirements is that the hosts on network A are all using the same gateway and
the routing into and out of network A is always symmetric.
My description of network B and C was a bit ambiguous. So let me go a littler
bit deeper into the details:
network A
|--------------------------------------|
| | CARP | |
| | | |
+--+--+ +--+--+ +--+--+ +--+--+
| fw1 | | fw2 | | fw3 | | fw4 |
+--+--+ +--+--+ +--+--+ +--+--+
| | | |
| CARP | | CARP |
|--------------| |--------------|
| |
| |
+--+--+ +--+--+
| R1 | | R2 |
+--+--+ +--+--+
| |
____|_______________________|____
/ \
/ Internet Cloud \
\ /
\_________________________________/
R1 and R2 are routers which are gateways to the internet. So the only purpose
for network B and C is connecting the routers with the firewalls. R2 is only for
backup.
> I would put fw1 & fw2 in CARP A1 and fw3 & fw4 in CARP A2 (different vhid,
> different virt IP)
> or make all firewalls listen on all networks (A,B,C) with no asymmetry.
As mentioned above routing should be always symmetric. If on of the hosts of
network A is using gate A1 and another is using gate A2 the routing is
asymmetric.
regards,
Joerg
