Jason Stubbs wrote:
Hi,
I'm looking to set up redundant firewalls in pretty much the same way as
is detailed in the PF FAQ. For discussion purposes, I've reproduced the
basic network layout below.
From your description and questions below, it looks like you're not
trying to do it the same way, and your understanding may be incomplete.
[Snip Layout]
Firewall External IP addresses
10.0.0.1 nat'ed to sv1 with fw1 being the master
10.0.0.2 nat'ed to sv2 with fw2 being the master
Firewall Internal IP addresses
192.168.0.1 with fw1 being the master
192.168.0.2 with fw2 being the master
Are these CARP'd addresses, as in you have multiple CARP interfaces per
NIC? If so, why?
Now with sv1's default route being set to 192.168.0.1 and sv2's default
route being set to 192.168.0.2 all should work fine (at least as far as
documentation goes). However, what I'd like to do is have both sv1 and
sv2 use both 192.168.0.1 and 192.168.0.2 for routing in a round-robin
fashion. With fw1 handling sv1's nat'ing, will fw2 correctly be able to
un'nat and send out replies sent by sv1?
I'm not going to answer this directly, mostly because I can't figure
out, given you have a really kickass failover system, why you'd even
want to do this. Given you're using hardware that is capable of using
em cards, box loading shouldn't be an issue.
Put simply, you're trying to make this harder than it really is, I
think. I suggest the following, which is what we use at the office and
is a heck of a lot closer to what the PF User's Guide suggests:
carp0: Assigned to em0 on both fw1 and fw2 Assigned 192.168.0.1 fw1
is the master.
carp1: Assigned to em2 on both fw1 and fw2 Assigned 10.0.0.1 AND
10.0.0.2 (primary and alias). Make sure that you have carp info for the
aliases (vhid and whatnot) for the alias lines. I can't remember if
it's required per alias entry, but that's what we're running here and it
works.
Don't forget to set your advskew values properly, i.e. they should be
higher on fw2 if it's the backup box.
pfsync0 still on em1. (Personally I'd do em1 as the carp1 int and em2 as
the pfsync, but I'm weird like that).
em0 on fw1, assign 192.168.0.2 as the int's ip for management and whatnot.
em0 on fw2 assign 192.168.0.3 for the same reasons.
Do the same thing for em1 on both firewalls using 10.0.0.x addresses.
Set up your pf rulesets, doing your rdr rules for both sv1 and sv2 on
the inbound *interfaces* (this has bit me in the ass many times).
Set the gateway on both sv1 and sv2 to 192.168.0.1
If fw1 goes paws up or needs maintenance, and if you've done everything
right, fw2 will take the load almost instantly (within milliseconds in
my experience).
[snip rest, as it's not relevant to my answer]
My whole point is that with the CARP and pfsync redundancy, there's no
need to have really complicated routes to and from your servers and
their firewalls.
Hope this helps.
--
Joseph C. Bender
jay cee bender at bendorius dot com
