carp on wan interface

Mon, 29 Oct 2007 19:33:14 -0800

I've been reading about and want to set up a set of (2) carp/pf/pfsync redundant firewalls but I haven't seen anything in the docs or on the list similar to what i'm hoping to accomplish so here goes:
I'm horrible at ascii art so i'll try to describe the scenario as best i can: 


2 firewalls, each firewall will have 4 interfaces,   san0(wan), 
fxp0(backup/redundant/load balancing wan , fxp1(dmz) and fxp2(lan).  
From what I have read in the docs and from questions that other people 
have asked I think I have a handle on the lan, dmz interfaces and maybe 
even the fxp0 wan interface, but I'm wondering about the san0 interfaces. 
Can they be carped?  My idea was to run the cable from the telco into a 
switch/hub and then carp the san0 interfaces, but I'm not sure if it 
will work and I don't have a spare t1 to test it.


Here is what I'm hoping to accomplish in order of priority:


1.  redundancy in the firewalls, one goes down, keep the connections to 
the dmz and internet alive  (incoming and outgoing)
2.  uplink redundancy/failover.. if the main t1 (provided by the san0 
int) goes down, detect that and route out the fxp0 int instead.
      fxp0 is connected to a frac. t1 via csu/dsu.  I'm not worried 
about incoming load balancing or routing connections as I am serving dns 
with short ttls (one dns sever out each of my uplinks) that has been 
providing redundancy to my dmz hosts as long as at least one of my links 
are up..
   a.  ideal but not mandatory to get things going, i'd like to be able 
to route out both wan interfaces from the lan to increase downloads.  
the backup is a smaller(256k vs. full t1 on main wan int) connection 
though, so would i have to set up queuing?  I would hate to pull from 
the backup when i have more than 256k available on the t1




I hope I have included enough info to get some insight on this, if not 
please ask.  My biggest concern here is whether or not i can carp the 
san interfaces and if not, is there anyway to accomplish this scenario 
without running the t1 into a dedicated router before it goes into the 
firewall.



Last bit of this, mixed in with all of the things I have been reading i 
see "route to" and ifstated mentioned a lot.  Would I need to be using 
ifstated to get the failover working for the two wan interfaces so 
traffic wouldn't get blackholed?  Would I need routeto in my pf.conf to 
get load balancing working or...........


Thanks in advance.


Aaron























					Reply via email to