On Thu, Feb 17, 2005 at 02:53:41PM +1300, Russell Fulton wrote: > Hi Folks, > WE are currently using two pf boxes as perimeter firewalls for our > campus network. These are configured between two switches and operate > as bridges in spanning tree mode (with pfsync for state sharing). We > are considering moving to a situation where each of the firewalls is > connected to a separate switch in the core and we use carp to load > balance between the two systems. > [snip] > At this point we will move the FW from bridge to L3 devices and use carp > to do load balancing. > > We will probably run the lower model in bridge mode first. > > Are there any obvious flaws with this set up? or any thing we should be > careful of when moving?
I just sort of did this (but it was from SunScreen in L2 mode) to L3 obsd/pf/carp. I'm still waiting around for some hardware to set up the CARP part, but the main things you may run into: - Routing table changes the border router needs to know how to see the rest of the network. Routing protocols would help a lot, but I was using static routes. So I had to put in ip route <blah> statements in IOS. - time for potential renumbering cutover (ie: there are now two routers stuck in the place where there used to be one) That was really the only stuff I ran into. Do remember to add rules for carp traffic and pfsync traffic in your pf.conf. toodles, -- adam
