Stoyan Genov wrote: > > Joachim Schipper wrote: >> On Tue, Nov 29, 2005 at 10:31:03AM +0100, David Coppa wrote: >> >>>On 11/29/05, Joachim Schipper wrote: >>> >>> >>>>Why don't you just put a switch in front of the two firewalls, and then >>>>do CARP (for firewall failover) plus some smart routing tricks (for ISP >>>>failover - search the archives, I forgot the proper keywords)? >>> >>>pf route-to? >> >> >> Hmm, wouldn't that require some additional scripting? Would work, >> though... >> > > We have this running for several months. Setup is the following > (sorry, no time for ascii art): > > *) 2 x obsd37/i386 boxes, 4 NICs each > *) each box connects to both ISPs > *) each box connects to internal LAN > *) the two boxes are interconnected for pfsync purposes > with a dedicated crossover ethernet cable > *) CARPed on "the inside" is the LAN gateway IP address > *) CARPed on "the outside" are IPs for a couple of pub services > *) each box has it's own IP on the inside and the outside > (so, 4 IPs used on the "outside" -- each ISP, each box) > *) pf.conf on both boxes is identical; they differ in the > default route (master box defaults through "master" ISP, > backup box defaults through backup ISP (we want to use > also the backup ISP through the backup box when everything > is OK) > *) upon becoming a master, a box would change its gateway > through the master ISP, plus starting a couple of services > *) upon becoming a backup, a box would change its gateway > through the backup ISP, plus stopping a couple of services > *) upon unavailability of its default ISP (cron+ping checks) > each box would change default gateway to the other ISP > > An over-simplified pf.conf would look roughly like this: > > " > # nat on both interfaces; default route will "choose" which exactly > nat on $if_isp1 from $net_int to $net_int_not -> $if_isp1:0 > nat on $if_isp2 from $net_int to $net_int_not -> $if_isp2:0 > > block log all > > pass proto carp all > pass on $if_loc all > > pass in on $if_int from $net_int to any > pass out on $if_int from any to $net_int > > # pass from my IPs to everywhere rules > # left as an exercise for the reader > > pass on $if_pfsync proto $pfsync_protos from $pfsync_peers \ > to $pfsync_peers > > # NO KEEP STATE HERE > pass on $if_isp1 proto $pub_serv_proto from any to $pub_serv_IP_on_isp1 > pass on $if_isp2 proto $pub_serv_proto from any to $pub_serv_IP_on_isp2 > # also, pub IPs are CARPed > > # KEEP THE STATE HERE > # FOR PUB SERVICE, IT'S THE *RESPONSE* THAT CREATES A STATE > pass out route-to ($if_isp1 $gw_isp1) from $net_isp1 to $net_isp1_not \ > modulate state > pass out route-to ($if_isp2 $gw_isp2) from $net_isp2 to $net_isp2_not \ > modulate state > " > > I probably forget some minor but important details. > > I wish I could get an AS and use BGP to route through both ISPs. > > Best Regards, > Stoyan Genov > > >
I am having some problems with a similar setup based on http://www.monkey.org/openbsd/archive/misc/0409/msg02994.html, but with CARP layers in front of the int/ext interfaces. Have you tried using packet tagging and decided it would not work? -- Sent from the openbsd user - misc forum at Nabble.com: http://www.nabble.com/pfsync-carp-via-2-ISP%27s-t632647.html#a2027119
