On 12 May 2013, at 16:25, Jason Pyeron jpye...@pdinc.us wrote:
Is the instructions in #4 the best way to do this, and are there updates
(since
2006) I should be aware of when following those instructions?
I run a couple of these configurations for clients.
Things I read first:
1:
http://www.openbsd.org/cgi-bin/man.cgi?query=pfsyncsektion=4manpath=OpenBSD+5.
3
2: http://www.openbsd.org/faq/pf/carp.html#pfsyncop
3 looks like what I have although there wasn't this much info around when I set
these systems up.
3:
http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)
Main thing is that everything is less predictable, test every rule every which
way before deploying. I stick to floating rules and tie the rules to interfaces
rather than using the WAN, LAN etc rule sets, sometimes the bridge has a
different idea of which interface you mean.
The chapter in the PfSense book is very helpful too.
4: http://www.seattlecentral.edu/~dmartin/docs/bridge.html
Yes, be very very sure about your STP (RSTP) and where your root is and who
controls it.
I haven't tried the devd bridge tweak that Chris refers to but I suspect it
would make life a lot easier.
I've never managed to get DHCP to behave correctly on any bridged interfaces,
hopefully you don't need it? I haven't gone to 2.0.3 yet as dhcpd runs crazy in
this configuration on 2.0.3, I need it on a natted interface. BTW don't mix
bridging and natting on the same firewall that's really problematic.
Lastly pester, pester, pester your ISP into giving you a router connect subnet
/29 etc. so you don't have to bridge! I'm hoping to achieve this later this
year after 3 years of nannying a redundant bridge firewall on a site with
gigabit traffic and I'll be very relieved when it finally happens.
Andre
-Jason
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list