On Mon, Oct 11, 2010 at 9:44 AM, Andy Graybeal <[email protected]> wrote: > On 10/08/2010 03:21 PM, Seth Mos wrote: >> >>> I'll have 2 firewalls, and 2 UPS's one for each firewall. >> >> As suggested before, cross the power supply cords between the 2 ups's. >> If you have the option of 2 power feeds in your DC then put each UPS on >> one specific. >> >> Alternatively there are great breaker strips that take 2 feeds and can >> put it into one plug so that you can still have both ups systems powered >> on if the A or B feed fails. These are about 150 euro or so. >> >>> Each firewall will have: >>> 1. a hot swap raid array (only two HD's set to RAID 1, mirroring). >>> 2. two hot swap power supplies. >> >> Makes perfect sense, that's what I have. >> >>> Now for the networking... >>> I'll have two dsl modems. I'm going to guess that I should have two >>> switches, one per modem. 2 connections coming from each switch, one per >>> firewall. >> >> One switch with vlans work, but if you can get 2 seperate ones that >> works too. I havn't had HP Procurve switches die on me for years. In >> fact, there is still a 2424M out there servicing after 10 years. >> >>> I'll need two IP addresses assigned to each firewall from my providers >>> (total of 4 ip addresses from providers). >> >> These will be the CARP IP addresses so that firewall failover works. You >> will want to add more for splitting services perhaps. You might want to >> terminate lan -> internet traffic on a seperate carp ip to prevent nat >> overloading. >> >> You will need 1 extra IP address per WAN connection for each part of the >> firewall that participates in the CARP. If you have a /29 assigned by >> the ISP per DSL modem you are safe. >> >>> Then I'll need a connection between each firewall for the pfsync. >>> That is a total of 3 ethernet ports per firewall (2 wan, 1 pfsync) just >>> for the redundancy; not including LANs. >> >> That is correct. >> >>> Can the pfsync connection be a simple cross-over cable, to get away from >>> needing another switch? >> >> Yes, some ports have cable length issues but 1meter is safe. >> >>> I know CARP is in the equation, I'll get to that after I understand how >>> I'm gonna hook this stuff up physically. >> >> See the book, it's recommended. No. Really. >> >> Regards, >> >> Seth >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> Commercial support available - https://portal.pfsense.org >> >> > Seth, > Thanks for the line-by-line response on every question. > > Reading the book now :) > > Thank to everyone for their responses, I'll probably ask more questions when > I get done with the book. > > -Andy > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > >
One thing that jumps out at me is the two ADSL links. Sounds like you are making a pretty good effort to "keep the lights on" with some good choices. If we were to do dual DSL lines in our area, the copper is really the same provider for the last mile. A different provider type may give you better reliability over what you can't totally control. In our case we could go to a cable company and get a business DSL line, the phone company and get fiber, fiber from a totally independent provider (or two), or even cell/microwave tower backup. All depends on what is available in your area and as others stated, the true need of uptime vs. cost. Also, along the lines of different UPS providers, what about different hardware manufactures for the boxes or just the hard drives? Andrew --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
