On Tuesday 10 October 2006 19:59, Ronnie Garcia wrote: > I have an OSPF enabled backbone and want to insert two firewalls. > Each firewall will be connected to one different core router. ... > With this design, a SYN packet can enter thru FW2 and the > corresponding ACK packet go back thru FW1. > > Will pfsync just handle the split sessions happily ? Will it handle > the load for, say, 10k pps ?
I've tried exactly that and it was not reliable. The solution is pretty simple though, just make sure only one fw at the time is active. I've used Quagga with some ifstated-type hacks to make it work but these days OpenOSPFD sounds like your good friend. Or use CARP on both sides if that's an alternative. /Andreas
