jamona perez wrote:
Thanks for the tip, I'm not too sure about this stp stuff, because I
always think twice before doing that kind of stuff, I've had my share
of network loops not being always well-handled by switch hardware. On
the other hand I've read from m0n0wall's forum that it is feasible.
so if it's the way to go, I'll go.
Last, (I don't wan't to start flame war, please), as all I want to do
is transparent FW, maybe I should go for m0n0wall instead of pfsense.
The drawback of monowall being that it won't support smp, thus making
me stick to a single celeron 3.33 Ghz, and running freebsd 4.2 (will
the double-port intel pcie card be supported ?).
The Intel nic should be easily supported, though others may know id
there have been lockups or other nasties with the old freebsd version.
There is a benefit with monowall, in that it's quite a bit faster.
The major downside is that you can't synchronise rules across the two
firewalls, as you could by using pfsync with pfSense (note, i don't mean
using carp, just rule synchronisation!)
If you do try it, let me know how it works, because i may be interested
in doing it too!
regards,
adam.
regards
------------------------------------------------------------------------
> Date: Fri, 10 Aug 2007 23:49:13 +0100
> From: [EMAIL PROTECTED]
> To: [email protected]
> Subject: Re: [pfSense Support] performance on a PE860
>
> jamona perez wrote:
> > Okay, I did not realize that, this is really helpful info. Thinking
> > about it for 2 minutes I just realized that a in bridge mode, the WAN
> > does not "really" have an IP address, does it ? so carp has no IP
> > failover to do whatsoever.
> > Please Correct me if I'm wrong.
> > So if the best I can do is having a "spare" box standing by to get
> > fired up if the other goes down ,it's what i'm going to do. But if
you
> > can think of any mecanism (similar to linux heartbeat) that can sit
> > here waiting for the other side to fail, then take the appropriate
> > measure (read "configurable" like starting the proper services) to
> > ensure high-availability of such a system, I'll be more that glad to
> > hear about it.
> >
> If pfSense will allow you to pass STP frames across it, you could just
> put two pfSense boxes in parallel like so
>
> EXTERNAL SWITCH
> FA0/1 FA0/2
> | |
> | |
> FW1--SYNC-- FW2
> | |
> | |
> FA0/1 FA0/2
> INTERNAL SWITCH
>
>
>
> Assuming that STP will pass the packets, you should have no issues in
> this configuration. STP will put the ports of FA0/2 into blocking mode,
> and no traffic will pass unless traffic stops flowing across FA0/1
(yes,
> i have just realised that you were probably meaning gig interfaces, but
> i did the diagram already :P)
>
> Someone else here will probably better know wether or not you can pass
> STP across pfSense correctly...
>
> You might also want to use two more interfaces for management? (don't
> give the firewalls IPs on the bridge, so that FW2 is still accessable
> when the links are blocking!)
>
> adam.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
------------------------------------------------------------------------
Besoin d'un e-mail ? Créez gratuitement un compte Windows Live Hotmail
et bénéficiez de 2 Go de stockage ! Windows Live Hotmail
<http://www.windowslive.fr/hotmail/default.asp>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
