On 10/08/2010 03:21 PM, Seth Mos wrote:
I'll have 2 firewalls, and 2 UPS's one for each firewall.
As suggested before, cross the power supply cords between the 2 ups's.
If you have the option of 2 power feeds in your DC then put each UPS on
one specific.
Alternatively there are great breaker strips that take 2 feeds and can
put it into one plug so that you can still have both ups systems powered
on if the A or B feed fails. These are about 150 euro or so.
Each firewall will have:
1. a hot swap raid array (only two HD's set to RAID 1, mirroring).
2. two hot swap power supplies.
Makes perfect sense, that's what I have.
Now for the networking...
I'll have two dsl modems. I'm going to guess that I should have two
switches, one per modem. 2 connections coming from each switch, one per
firewall.
One switch with vlans work, but if you can get 2 seperate ones that
works too. I havn't had HP Procurve switches die on me for years. In
fact, there is still a 2424M out there servicing after 10 years.
I'll need two IP addresses assigned to each firewall from my providers
(total of 4 ip addresses from providers).
These will be the CARP IP addresses so that firewall failover works. You
will want to add more for splitting services perhaps. You might want to
terminate lan -> internet traffic on a seperate carp ip to prevent nat
overloading.
You will need 1 extra IP address per WAN connection for each part of the
firewall that participates in the CARP. If you have a /29 assigned by
the ISP per DSL modem you are safe.
Then I'll need a connection between each firewall for the pfsync.
That is a total of 3 ethernet ports per firewall (2 wan, 1 pfsync) just
for the redundancy; not including LANs.
That is correct.
Can the pfsync connection be a simple cross-over cable, to get away from
needing another switch?
Yes, some ports have cable length issues but 1meter is safe.
I know CARP is in the equation, I'll get to that after I understand how
I'm gonna hook this stuff up physically.
See the book, it's recommended. No. Really.
Regards,
Seth
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
Seth,
Thanks for the line-by-line response on every question.
Reading the book now :)
Thank to everyone for their responses, I'll probably ask more questions
when I get done with the book.
-Andy
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
