> Another point is how this deals with #Ip1 going down. Should any part of
> pf (in kernel?) monitor (or even probe) the targets and modify the list
> automatically? Or would you want a userland daemon to do that? Or do it
> manually completely?
Well we are talking about failover and load balancing, however the fact is
that these 2 features are different and have some parts similar and other
different.
Example #1 Load Balancing without failover:
Router
|
Balancer (PF+ALTQ)
|
|---------|
PF1 PF2
| |
|---------|
|
LAN
This solution can permit PF1 and PF2 to filter the traffic with very heavy
ruleset.
However at the moment ALTQ will work without knowing the current load of PF1
or PF2, simply it can divide the traffic using our rules. It could be
possible to check PF1 and PF2 load from the Balancer using PFmon or other
tools and automagically modify ALTQ rules. Obviously no software suite is
ready at the moment.
Example #2 Failover without load balancing:
Router
|
|---------|
PF1-<>--<>-PF2
| |
|---------|
|
LAN
This solution is not available at the moment.
It should permit redundancy between PF1 and PF2 and need a direct link
between the 2 box.
So there are various question about:
- what type of link ? USB ? RJ-45 ?
- what is the way the 2 box will receive the traffic ?
I mean if they have 1 IP for each interface how the router will send them
packets ?
Will you use a hub instead of a switch ?
Router
|
|---HUB---|
PF1-<>--<>-PF2
| |
|---HUB---|
|
LAN
and if they are IPless firewall how could we pass the traffic to all of them
?
Can we trust a hub and be sure that each box will receive each packet ?
Thanks.
Ed
