Joseph C. Bender wrote:
Jason Stubbs wrote:
Hi,
I'm looking to set up redundant firewalls in pretty much the same way
as is detailed in the PF FAQ. For discussion purposes, I've reproduced
the basic network layout below.
From your description and questions below, it looks like you're not
trying to do it the same way, and your understanding may be incomplete.
Apologies. I stated what I want to do but forgot to state the why. We're
moving to a new data center. Originally, I was looking at setting up
stock redundant firewalls but we will be charged almost as much for the
inactive line to the data center as the active line costs.
While inbound traffic isn't such a problem, output can reach up to
60Mbps during peak times. Hence, what I'd like to do is run 2 active
30Mbps lines and balance outgoing traffic between them rather than
having active/passive 60Mbps lines.
[Snip Layout]
Firewall External IP addresses
10.0.0.1 nat'ed to sv1 with fw1 being the master
10.0.0.2 nat'ed to sv2 with fw2 being the master
Firewall Internal IP addresses
192.168.0.1 with fw1 being the master
192.168.0.2 with fw2 being the master
Are these CARP'd addresses, as in you have multiple CARP interfaces
per NIC? If so, why?
CARP'd addresses, yes. The external addresses are those of the services
being ran on sv1 and sv2 (which are in fact LVS'd Linux farms). The
multiple internal addresses are for the internal servers to round-robin
outgoing traffic to.
Now with sv1's default route being set to 192.168.0.1 and sv2's
default route being set to 192.168.0.2 all should work fine (at least
as far as documentation goes). However, what I'd like to do is have
both sv1 and sv2 use both 192.168.0.1 and 192.168.0.2 for routing in a
round-robin fashion. With fw1 handling sv1's nat'ing, will fw2
correctly be able to un'nat and send out replies sent by sv1?
I'm not going to answer this directly, mostly because I can't figure
out, given you have a really kickass failover system, why you'd even
want to do this. Given you're using hardware that is capable of using
em cards, box loading shouldn't be an issue.
Put simply, you're trying to make this harder than it really is, I
think. I suggest the following, which is what we use at the office and
is a heck of a lot closer to what the PF User's Guide suggests:
[snip configuration details]
If fw1 goes paws up or needs maintenance, and if you've done everything
right, fw2 will take the load almost instantly (within milliseconds in
my experience).
This configuration is essentially what I'm looking at doing. The only
difference is that instead of having one internal address, I'd like to
have two. As I said above, the goal is to balance outgoing traffic and
still have redundancy. I'm aware that when one box goes down there won't
be enough bandwidth for peak times, but that's a cost/performance
tradeoff that's been approved.
[snip rest, as it's not relevant to my answer]
My whole point is that with the CARP and pfsync redundancy, there's no
need to have really complicated routes to and from your servers and
their firewalls.
Actually, we'd need to be looking to find a way to balance outgoing
traffic anyway. We're at about 60Mbps during peak times now but that's
only going to grow. As we can only get a maximum of 100Mbps out of each
line, overcoming that limit is also on the agenda.
From what I understand of the theory, it should work but I was hoping
to get a "yes, I'm doing it" from somebody. Unless there's a reason it
won't work, I'll be having a go and getting it set up in the first week
of March and will write back with the results.
--
Jason Stubbs