On Tue, Oct 10, 2006 at 07:59:23PM +0200, Ronnie Garcia wrote: > Hello, > > I have an OSPF enabled backbone and want to insert two firewalls. > Each firewall will be connected to one different core router. > > My idea is to setup OSPFd on the interfaces plugged to the core, and > CARP on the interfaces plugged to the other side (servers network). I > have no routing protocol inside the servers network. > > From the servers side, trafic will go out from the firewall owning the > shared IP (the "master" firewall). > From the internet side, trafic will go in from both firewalls, > whichever is the neerest from the core router. > > With this design, a SYN packet can enter thru FW2 and the corresponding > ACK packet go back thru FW1. > > Will pfsync just handle the split sessions happily ? Will it handle the > load for, say, 10k pps ? >
You normaly don't want to do split routing through firewalls. Eventhough pfsync may allow it, it will hurt performance because pfsync updates are done in batches. It is far better to just prefer the active router over the other. (This is actually what OpenOSPFD does (it announces the network only on the active router)). Instead of using direct connections into your two core routers it would be better to use two interconnected switches to connect all four routers on one LAN. -- :wq Claudio
