Hi all! I am looking for a way to build fault tolerant routers with a firewall. We have an AS num and a /24 network prefix as well as a multihome peering with two upstream ISPs. To build this solution, I've got 4 machines with OpenBSD on it:
Hosts `border1' and `border2'. Each of these routers are connected to its own provider by eBGP: border1 connects to the ISP1 as well as border2 connects to the ISP2. There is iBGP between these two border routers (set nexthop self). To avoid states, I didn't configure the pf. Perhaps I am wrong and it is possible to configure stateless pf to avoid bgp connection attempts from a foreign addresses. These two routers are connected to the downstream internal vlanX and each router has its own IPv4 address from the announced a /24 network prefix. Hosts `fw1' and `fw2' are behind border routers. They have a stateful packet filter with pfsync (port redirections, binat rule sets and so on), without any dynamic routing protocols. Their external interfaces are connected to vlanX and have addresses from the announced network prefix within AS as well. There's a master-slave CARP between these firewalls. External CARP address is used as a NAT address for internal services, there's also internal CARP address used as a default router for internal downstream services in the 92.168.0.0/16 subnet. Q1: How to connect fw1 and fw2 to the borders? Do I need to set up on internal interfaces of border routers the CARP address (master/slave) which will act as a default router for the next two fw routers? As I understand, I can't bring up the IGP between border and fw routers because of the packet state on fw group. Q2: Can asymmetric routing issues arise when connecting via CARP between border and fw routers? Q3: Do I need to add announced /24 network prefix into blackhole on border routers by `route add -blackhole' command to avoid reply in case of request for non-existent address from that network? I think to split /24 into small subnets for future needs, there may be requests to unused addresses. Regards, Den
