Hi, > I have been given a spec to produce a set of redundant firewalls for three DSL connections. These have to be three pairs of firewalls, two for each connection.
Why six firewalls ? Do you think that 3 boxes will die at the same time ? CARP can hande 255 adresses per box, so my suggestion is stay with 3 boxes. And use carp/pfsync to fail-over the diffrent DSL lines. Use more NIC's instead of boxes if you don't want/can have DSL lines on the same physical segment. > However, I have done a couple of basic pf firewall configurations, but I do not know anything about pfsync, despite reading Absolute OpenBSD and Building Firewalls with OpenBSD and PF 2nd edt. http://www.countersiege.com/doc/pfsync-carp/ Mini HOWTO (everything is mentioned on the page above) In pf.conf: Allow pfsync traffic In /etc/sysctl.conf: enable carp tell pfsync to use a specific NI in /etc/hostname.pfsync Establish your diffrent carp groups in /etc/hostname.carp[0-255] I'm using 3 boxes with 19 diffrent carp interfaces failing over for various resons, i'm not using the carp round-robin stuff. -Thomas
