Hi, I would be interested to find out the community's view on whether separating "router" and "firewall" roles is still a good thing or whether developments in recent iterations of OpenBSD would permit aggregation whilst maintaining integrity and security ?
If you forgive my attempt at ASCII art (which I hope survives internet mangling), this would be representative of what I would do for a "traditional" setup: (BGP) (BGP) | | ["router"] ["router"] | \ / | | \ / | | / \ | | / \ | ["firewall"] ["firewall"] • The routers talk full BGP externally and default-route BGP to the firewalls. • The firewalls talk offer VRRP internally and also BGP default-route internally to those that can talk BGP • The firewalls also offer other internal services such as NTP etc.• The firewalls also act as a VPN endpoint externally using a combination of iked, ifstated and other stuff to make it work • The firewalls are very much perimeter firewalls, they don't do detailed content handling such as mail etc., that is done elsewhere Various factors have led to a hardware refresh for this kit, and as part of that I'm curious as to whether I can consolidate without (a) loosing the benefits of the split model and (b) introducing too much un-necessary additional complexity. Thanks ! Rachel