Re: [pfSense] Best configuration for redundant transparent firewall operation?

[Andre Newman]

On 12 May 2013, at 16:25, Jason Pyeron jpye...@pdinc.us wrote:

 Is the instructions in #4 the best way to do this, and are there updates 
 (since
 2006) I should be aware of when following those instructions?

I run a couple of these configurations for clients.

 
 Things I read first:
 1:
 http://www.openbsd.org/cgi-bin/man.cgi?query=pfsyncsektion=4manpath=OpenBSD+5.
 3
 2: http://www.openbsd.org/faq/pf/carp.html#pfsyncop


3 looks like what I have although there wasn't this much info around when I set 
these systems up.

 3:
 http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)

Main thing is that everything is less predictable, test every rule every which 
way before deploying. I stick to floating rules and tie the rules to interfaces 
rather than using the WAN, LAN etc rule sets, sometimes the bridge has a 
different idea of which interface you mean.

The chapter in the PfSense book is very helpful too.


 4: http://www.seattlecentral.edu/~dmartin/docs/bridge.html

Yes, be very very sure about your STP (RSTP) and where your root is and who 
controls it.

I haven't tried the devd bridge tweak that Chris refers to but I suspect it 
would make life a lot easier.

I've never managed to get DHCP to behave correctly on any bridged interfaces, 
hopefully you don't need it? I haven't gone to 2.0.3 yet as dhcpd runs crazy in 
this configuration on 2.0.3, I need it on a natted interface. BTW don't mix 
bridging and natting on the same firewall that's really problematic.

Lastly pester, pester, pester your ISP into giving you a router connect subnet 
/29 etc. so you don't have to bridge! I'm hoping to achieve this later this 
year after 3 years of nannying a redundant bridge firewall on a site with 
gigabit traffic and I'll be very relieved when it finally happens.

Andre

 
 -Jason 
 
 --
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 -   -
 - Jason Pyeron  PD Inc. http://www.pdinc.us -
 - Principal Consultant  10 West 24th Street #100-
 - +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
 -   -
 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 This message is copyright PD Inc, subject to license 20080407P00.
 
 
 ___
 List mailing list
 List@lists.pfsense.org
 http://lists.pfsense.org/mailman/listinfo/list

___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

Re: [pfSense] Best configuration for redundant transparent firewall operation?

[Chris Buechler]

On Sun, May 12, 2013 at 10:25 AM, Jason Pyeron jpye...@pdinc.us wrote:
 Is the instructions in #4 the best way to do this, and are there updates 
 (since
 2006) I should be aware of when following those instructions?


Should be more or less like that minus all the specific ifconfig xyz
commands. I'd advice not doing that at all though, anything needing
redundant firewall is usually best redesigned so you're routing
instead. Good chance you'll want things like VPNs that aren't possible
or have major complications when bridging anyway. It can be done, just
requires significant caution and very careful attention to the STP
config all around. Also might want to tie the bridge down/up into devd
assuming you'll have at least one CARP IP somewhere.
___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list

[pfSense] Best configuration for redundant transparent firewall operation?

[Jason Pyeron]

Is the instructions in #4 the best way to do this, and are there updates (since
2006) I should be aware of when following those instructions?

Things I read first:
1:
http://www.openbsd.org/cgi-bin/man.cgi?query=pfsyncsektion=4manpath=OpenBSD+5.
3
2: http://www.openbsd.org/faq/pf/carp.html#pfsyncop
3:
http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP)
4: http://www.seattlecentral.edu/~dmartin/docs/bridge.html

-Jason 

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


___
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list