On Sat, Jul 5, 2014 at 3:20 PM, Mxher <[email protected]> wrote: > Hello everyone, > > At work we are using a firewall cluster of two Linux servers but I'm > trying to change this; especially to replace iptables/netfilter by pf > (mostly for performances and 'easy to maintain' reasons). > > Here is the thing: right now if the active node is seen dead, all > resources will switch on the other node (via pacemaker/heartbeat); here > is the resources managed: > - virtuals ips, > - firewall's configuration, > - routes, > - ADSL modems (in bridge mode) interfaces. > > So here is my issues: > 1) Can I group multiple virtuals ips to make them switch all at the same > time using CARP ? > > 2) About modems interfaces, I can't have them UP on both firewalls at > the same time. > How would you managed that? > > > Currently, I'm thinking about making CARP listen on a dedicated > interface (directly connected between the two servers) and manage > everything by the up/down scripts. > But with that kind of solution there will be no failover if another > interface goes down on the active node. > > > Maybe I'm missing something obvious here, in that case please don't hit > me too hard ;) > > > Thanks! > >
read the FAQ, dont forget to sync the states and use ifstated to change the modem state when swithcing master fw. -- --------------------------------------------------------------------------------------------------------------------- () ascii ribbon campaign - against html e-mail /\
