alexander lind wrote: > On Aug 20, 2008, at 12:06 AM, Marco Fretz wrote: > >>> Is it possible to have two OpenBSD bridging firewalls work together >>> with CARP now? >> >> What do you mean by "work together"? Only fail-over? load-share? > > Fail-over is my primary concern. > >>> >>> Update the ifp of bridge cache entries if the entry is not static. >>> This makes carp(4) fail-over work over bridge(4). >> >> I think this means only that it is possible to use carp over bridges, >> not for bridges. but maybe I'm wrong. :-) > > Ah, that makes sense I suppose since I can't find many references to > this particular scenario elsewhere! > >>> So my question is, am I understanding this right if I say that it is >>> indeed possible to set up a pair of redundant carped firewalls using >>> OpenBSD 4.2 or above? >> >> Bridges are layer 2, carp is layer 3 (it shares IP addresses). So carp >> can not handle this by its nature I think. Just place the both bridges >> in your LAN and you have your fail-over solution. I've never done >> something with openbsd bridges but as I know it from bridge-utils from >> linux you can set STP priority and costs to influence spanning tree path >> selection. Of course your LAN switch should be capable of basic >> spanning-tree functions as well. >> >> after the first bridge goes down, spanning tree takes automatically the >> next best path by setting the needed switchports to forward (instead of >> blocking). > > This sounds like the best route for us. I will experiment and see if I > can get it working like this later today. > > Thanks for your advice!
Your welcome. Let me know if it's working or not. I've never done it myself but I'm also interested in bridging firewall clusters... bests marco > > Alec
