On Fri, Jul 07, 2006 at 06:30:06PM +0200, Peter Philipp wrote: > I think you can do it with the following: Get 2 cheap routers that can pass > 3Mb/s, no big functionality needed except that they do ethernet (Cisco 2500's? > they should be cheap by now..), 2 switches for the etherlink between the two > locations (if a direct ethernet link can't be established perhaps use an > OpenBSD bridge with ethernet over gif(4)?) and then the existing routers > configured with carp. In ascii it would look like so:
You may even do it cheaper than that with a bit of programming and it doesn't require a purchase of any network gear, however the functionality may not be there in the tun(4) driver. Basically what I'm thinking of is the following: The x.y.z.w/29 and a.b.c.d/29 interfaces have a rdr pf rule that redirects everything inbound into a daemon that runs a tun(4) interface in layer 3 mode, this daemon writes the incoming packets out another tun(4) interface that is in layer 2 mode which is also bridged within a set of ethernet interfaces (192.168.0.0/24) that also have CARP devices on each end. This is where I'm unsure if this is functional, (bridging a layer 2 tun(4) device), anyhow the MAC address that it writes to is the CARP virtual Address (or you could implement rudimentary ARP into the daemon as well) and you should have failover as long as the firewalls themselves don't fail. Required on each firewall is 4 ethernet interfaces and the tun(4) userland daemon. You should see some overhead with this due to copying the packets into userland and then back to kernel via the tun(4) interfaces. Gee I'm feeling really creative today. Let the imagination flow. -peter -- Here my ticker tape .signature #### My name is Peter Philipp #### lynx -dump "http://en.wikipedia.org/w/index.php?title=Pufferfish&oldid=20768394"; | sed -n 131,136p #### So long and thanks for all the fish!!!
