[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

configuring multiple firewalls



Hi Folks,
	 WE are currently using two pf boxes as perimeter firewalls for our
campus network.  These are configured between two switches and operate
as bridges in spanning tree mode (with pfsync for state sharing).  We
are considering moving to a situation where each of the firewalls is
connected to a separate switch in the core and we use carp to load
balance between the two systems.
Here is some (crude) ascii art representing the two setups:
(note lines between the FWs represents the pfsync link.)
campus network
)
 )
  )
-----
| S |-----
   )
   )                                 ------
   )                           /-----| FW |------\
-----                  ----- /       ------        \ -----
| S |------------------| S  |           |           | R | ------  outside
-----                  ------\       ------       / -----
   )                           \-----| FW |------/
  )                                  ------
)
we want to move to:
)
 )
  )
-----              ------
| S |--------------| FW |-----
-----              ------     \
   )                  |         \ -----------------
   )                  |          \|                |   )                  |          /| border router  |--------
-----              ------      / ------------------
| S |--------------| FW |-----/
-----              ------
   )  
  )   
)
At this point we will move the FW from bridge to L3 devices and use carp
to do load balancing.
We will probably run the lower model in bridge mode first.
Are there any obvious flaws with this set up? or any thing we should be
careful of when moving?
Cheers, Russell.

Attachment: smime.p7s
Description: S/MIME cryptographic signature