I'm attempting to get a bridging firewall setup going... with
two servers rigged as a fault tolerant pair.
CARP of course won't work in this setup... as I'm not sharing
an IP.
So... I'm using spanning tree protocol.
so... graphically:
Firewall A
Host -- switch < | > switch -- Internet
Firewall B
I'm using pfsync between A & B on a dedicated interface... and
when I have pf enabled on both, I do see the states synchronized.
But for now I have pf disabled as I'm having a problem I haven't
been able to put my finger on yet.
If I start a ping on Host, the pings are going through A, as
spanning tree has the internet side port on B in blocking state.
pings are happening fine.
Now I pull the ethernet from A to the internet...
pings stop of course...
I can watch host B (via brconfig) go from blocking to listening,
to learning, to forwarding. Block for 20 or so seconds, then
listening for 15 or so seconds, then learning for 15 or so
seconds... then forwarding.
Once forwarding is working, I can use a different virtual console
on the host to ping a different host.. that's working fine.
BUT the original ping still doesn't being responding again
(or a separate new ping to the same IP) for 7 minutes.
Since the address learning (which when things recover I can see
changes) had a 4 minute timeout I thought it would be that...
but shortening it, or adding -learn to the two bridge interfaces
on the two firwewalls doesn't help.
The switchover time can be made faster... by power cycling the
two switches on each side of the firewall pairs after the
interface goes into forward. This drops the switchover time to
about 1.5 minutes.
Even tcpdump -i <internal interface> on the B firewall won't
show the pings...
Part of this is the layer 2 learning that is going on in the
two switches... currently for staging these are two non managed
switches. In production the firewalls will bridge two VLANs on
a large Cisco switch. And the currently plan was to have spanning
tree turned off on the Cisco switch... letting the firewalls
manage spanning tree amongst themselves.
7 minutes is not an acceptable failover time for existing
connections.
Anyone ever do anything like this before ? I'm guessing that
some custom configuration is going to be required on the Cisco
switch ports to decrease this switchover time to something more
acceptable...
More host tuning/etc may be required as well..
So.. here's the config info...
fxp0 has an IP
fxp1 has no IP
the bridge is fxp0 and fxp0, and here is the contents of the
bridgename.bridge0 file:
on Firewall A on Firewall B
--------------- -------------
blocknonip fxp0 blocknonip fxp0
blocknonip fxp1 blocknonip fxp1
add fxp0 add fxp0
add fxp1 add fxp1
ifpriority fxp0 2 ifpriority fxp0 2
ifpriority fxp1 4 ifproirity fxp1 4
ifcost fxp0 2 ifcost fxp0 2
ifcost fxp1 2 ifcost fxp1 2
stp fxp0 stp fxp0
stp fxp1 stp fxp1
timeout 30 timeout 30
up up
Any suggestions ? Can this be made to work, or do I have to
move to a routed firewall configuration and use CARP/PFSYNC ??
(wanted bridged firewalls for the 'transparency' and realtive
ease of insertion into an existing network.
Thanks,
-- Curt
