Re: configuring multiple firewalls

On Thu, Feb 17, 2005 at 02:53:41PM +1300, Russell Fulton wrote:
> Hi Folks,
> 	 WE are currently using two pf boxes as perimeter firewalls for our
> campus network.  These are configured between two switches and operate
> as bridges in spanning tree mode (with pfsync for state sharing).  We
> are considering moving to a situation where each of the firewalls is
> connected to a separate switch in the core and we use carp to load
> balance between the two systems.
> At this point we will move the FW from bridge to L3 devices and use carp
> to do load balancing.
> We will probably run the lower model in bridge mode first.
> Are there any obvious flaws with this set up? or any thing we should be
> careful of when moving?
I just sort of did this (but it was from SunScreen in L2 mode) to L3
obsd/pf/carp.  I'm still waiting around for some hardware to set up the
CARP part, but the main things you may run into:
- Routing table changes the border router needs to know how to see the
rest of the network.  Routing protocols would help a lot, but I was
using static routes.  So I had to put in ip route <blah> statements in
- time for potential renumbering cutover (ie: there are now two routers
stuck in the place where there used to be one)
That was really the only stuff I ran into.  Do remember to add rules for
carp traffic and pfsync traffic in your pf.conf.