-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kevin wrote: > >> -----Original Message----- >> From: Kevin [mailto:k...@kevinkevin.com] >> I have what I would consider not a standard firewall scenario that >> requires a second, redundant PF firewall. My first / main firewall is >> pf + transparent bridging with no internal network / ip addresses. > > > I realize that carp would require an ip address on both interfaces to work > properly... this is correct, right? Could I just assign the 1 ip address / > gateway on the bridge0 interface and add a carp interface to fail that over > to the 2nd firewall? This would be easier to do with spanning tree: [router] | [------switch 1------] | | [FW1]--{pfsync}--[FW2] | | [------switch 2------] | [clients] Then you can leave carp out of the equation and your network would be the same as before. FW1 /etc/rc.conf: cloned_interfaces="bridge0" ifconfig_em0="up -tso" ifconfig_em1="up -tso" ifconfig_em2="inet 192.168.255.1/30" ifconfig_bridge0="up addm em0 stp em0 addm em1 stp em1" pfsync_enable="YES" pfsync_syncdev="em2" pfsync_ifconfig="syncpeer 192.168.255.2" FW2 /etc/rc.conf: cloned_interfaces="bridge0" ifconfig_em0="up -tso" ifconfig_em1="up -tso" ifconfig_em2="inet 192.168.255.2/30" ifconfig_bridge0="up addm em0 stp em0 addm em1 stp em1" pfsync_enable="YES" pfsync_syncdev="em2" pfsync_ifconfig="syncpeer 192.168.255.1" Make sure that the spanning tree priority on either switch side is higher (smaller number) than the bridges so that they will remain the root bridges. Tom - -- TJU13-ARIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJLKSTUAAoJEMSwVS7lr0OdVpMH/A1zQdIxKTiwm12dIklzCg4w CFp09ZPQEK3zjkes2qUpf6VGvg88rhhQE6iMn/BLIYhpdsqmoejHB2a3k397/qKq yevnl4iyB2xaOTZhbIufasI+dtMy1t30ZET4NlMSFZKEsIm6KQGVX8Il2DqyW2AB xW79glm6/YSHUnBCcL9UGEQzIOtkeqsApNAGIQc2TWvQUz0z7jbKaBU72dhl/Yni +ys3tG7/4m4/2ybMVNW+pjs4/TlEwz31HOgM96MfEkgl0xss4k249kSSnYvn5SZ5 lqre6l+xU2WgSVVXydzIJPNNYSThZrJhTfRNYMBv0bF0covT9aZ2IPzLxoqNeAg= =KoIu -----END PGP SIGNATURE----- _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
