Hi,
I'm looking to set up redundant firewalls in pretty much the same way as
is detailed in the PF FAQ. For discussion purposes, I've reproduced the
basic network layout below.
+----| WAN/Internet |----+
| |
em2| |em2
+-----+ +-----+
| fw1 |-em1----------em1-| fw2 |
+-----+ +-----+
em0| |em0
| |
---+-------Shared LAN-------+---
| |
| |
+-----+ +-----+
| sv1 | | sv2 |
+-----+ +-----+
Firewall External IP addresses
10.0.0.1 nat'ed to sv1 with fw1 being the master
10.0.0.2 nat'ed to sv2 with fw2 being the master
Firewall Internal IP addresses
192.168.0.1 with fw1 being the master
192.168.0.2 with fw2 being the master
Now with sv1's default route being set to 192.168.0.1 and sv2's default
route being set to 192.168.0.2 all should work fine (at least as far as
documentation goes). However, what I'd like to do is have both sv1 and
sv2 use both 192.168.0.1 and 192.168.0.2 for routing in a round-robin
fashion. With fw1 handling sv1's nat'ing, will fw2 correctly be able to
un'nat and send out replies sent by sv1?
I'm aware that there'll be a small race between fw2 processing fw1's
pfsync state change notification and the reply coming from sv1. That
should be handleable by using priority queues and always bumping pfsync
traffic to the top of the list. Are there any other possible gotchas or
reasons why this might not work?
Thanks in advance.
--
Jason Stubbs
