On 2018-09-14, Marko Cupać <marko.cu...@mimar.rs> wrote: > Hi, > > for years I have been using setup with two firewalls: "outer" one - > FW1-BGP - connecting to upstream ISPs and talking BGP to them regarding > my DMZ, and "inner" one - FW2-NAT, doing NAT for my LAN. > > ISP1 ISP2 > \ / > [FW1-BGP] > | > (DMZ) > | > [FW2-NAT] > | > (LAN) > > (Actually, it's more complicated due to each of the firewalls having > their CARP twin, but that shouldn't matter for my questions). > > I'm considering moving to setup with just one firewall (ok, two, > because of CARP, once again it should not matter), which would connect > to upstream ISPs, DMZ and LAN. > > ISP1 ISP2 > \ / > [FW1-ALL] > / \ > (DMZ) (LAN) > > Any success / failure stories from admins who already went through > this? Any pitfalls I should avoid?
Operationally this setup works ok if you have one router. The difficulty comes if you want to land the two ISPs on different routers and do carp between them, like ISP1 ISP2 \ / [FW1]---[FW2] / \ (DMZ) (LAN) Then, if incoming packets go to the non-master firewall, you need to keep the PF state table in sync between the two, in particular TCP sequence numbers need to match up with the information in the state. pfsync with "defer" can help but there might still be issues with fast TCP flows. Otherwise you can use "depend on <carpXX>" in bgpd config, so that you only have active bgp sessions on the router/firewall which is "master" at the time, but then you have slower failovers because it needs to bring up the session and load the route table after carp flips across. I generally prefer the "two layer" setup if possible.
