Claudio Jeker a icrit :
On Tue, Oct 10, 2006 at 07:59:23PM +0200, Ronnie Garcia wrote:
I have an OSPF enabled backbone and want to insert two firewalls.
Each firewall will be connected to one different core router.
My idea is to setup OSPFd on the interfaces plugged to the core, and
CARP on the interfaces plugged to the other side (servers network). I
have no routing protocol inside the servers network.
From the servers side, trafic will go out from the firewall owning the
shared IP (the "master" firewall).
From the internet side, trafic will go in from both firewalls,
whichever is the neerest from the core router.
With this design, a SYN packet can enter thru FW2 and the corresponding
ACK packet go back thru FW1.
Will pfsync just handle the split sessions happily ? Will it handle the
load for, say, 10k pps ?
You normaly don't want to do split routing through firewalls. Eventhough
pfsync may allow it, it will hurt performance because pfsync updates are
done in batches. It is far better to just prefer the active router over
the other. (This is actually what OpenOSPFD does (it announces the network
only on the active router)).
Thanks for all your replies, i will go for the active/standby solution.
Instead of using direct connections into your two core routers it would be
better to use two interconnected switches to connect all four routers on
one LAN.
What i called "core routers" are actually two cisco 3560, which are
layer 3 switches.
Regards,
--
Ronnie Garcia <r.garcia at ovea dot com>
