[EMAIL PROTECTED] wrote:
Good Morning,
I'm currently in the process of configuring a new firewall for my company and
would like to know the following:
1. Is it possible to configure OpenBSD firewall interface as follows:
carp10 - int/ext virtual eth dev (ip of CVI - shared between fw's)
|
vlan10 - int/ext virtual eth dev (ip of NDI - not shared)
|
pcn0 - int/ext eth device (no ip)
Basically, I'd like to use vlan's on top of physical interfaces, with carp
devices on top of vlan logical interfaces.
i have something similar setup here at work, albeit with actual IPs
assigned to the physical (in your case pcn0) interface on each machine.
from what i've read on here it shouldn't be an issue to have IP-less
physical interfaces, especially if only vlan-tagged traffic is coming
through them.
the only "gotcha" i encountered with a configuration like this is that
if you have you're running named (DNS) on the machines, are using carp
arpbalance and have the /etc/resolv.conf of each machine set to resolve
to the carp IP address, things don't work right. this is likely b/c each
machine thinks it's the master.
2. I'm guessing that when the firewall is configured as above, I'll refer to
vlan interface with carp specific IP address (rather than physical int)?
unless the inbound traffic to the public IPs is tagged, you don't want
to use a vlan interface. might want to take a look at the carpdev
keyword in the ifconfig manpage.
3. Do I need to add virtual IP addresses to the firewall to answer for each
public IP address, or can I simply configure the router to
route all traffic for subnet through IP address of external carp device of
firewall?
see pf.conf manpage and binat.
cheers,
jake
Regards,
Garron
