I'll have 2 firewalls, and 2 UPS's one for each firewall.
As suggested before, cross the power supply cords between the 2 ups's. If you have the option of 2 power feeds in your DC then put each UPS on one specific.
Alternatively there are great breaker strips that take 2 feeds and can put it into one plug so that you can still have both ups systems powered on if the A or B feed fails. These are about 150 euro or so.
Each firewall will have: 1. a hot swap raid array (only two HD's set to RAID 1, mirroring). 2. two hot swap power supplies.
Makes perfect sense, that's what I have.
Now for the networking... I'll have two dsl modems. I'm going to guess that I should have two switches, one per modem. 2 connections coming from each switch, one per firewall.
One switch with vlans work, but if you can get 2 seperate ones that works too. I havn't had HP Procurve switches die on me for years. In fact, there is still a 2424M out there servicing after 10 years.
I'll need two IP addresses assigned to each firewall from my providers (total of 4 ip addresses from providers).
These will be the CARP IP addresses so that firewall failover works. You will want to add more for splitting services perhaps. You might want to terminate lan -> internet traffic on a seperate carp ip to prevent nat overloading.
You will need 1 extra IP address per WAN connection for each part of the firewall that participates in the CARP. If you have a /29 assigned by the ISP per DSL modem you are safe.
Then I'll need a connection between each firewall for the pfsync. That is a total of 3 ethernet ports per firewall (2 wan, 1 pfsync) just for the redundancy; not including LANs.
That is correct.
Can the pfsync connection be a simple cross-over cable, to get away from needing another switch?
Yes, some ports have cable length issues but 1meter is safe.
I know CARP is in the equation, I'll get to that after I understand how I'm gonna hook this stuff up physically.
See the book, it's recommended. No. Really. Regards, Seth --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
