PF Transparent Bridge Firewall + CARP
Tom Judge
tom at tomjudge.com
Wed Dec 30 16:12:36 UTC 2009
On 30/12/2009 01:35, kevin wrote:
>> -----Original Message-----
>> From: Tom Judge
>> Sent: Wednesday, December 16, 2009 1:20 PM
>> To: Kevin
>> Cc: freebsd-pf at freebsd.org
>> Subject: Re: PF Transparent Bridge Firewall + CARP
>>
>> [router]
>> |
>> [------switch 1------]
>> | |
>> [FW1]--{pfsync}--[FW2]
>> | |
>> [------switch 2------]
>> |
>> [clients]
>>
>
> I have a really stupid question. If I have a switch with 2 VLANS (one DMZ /
> 'outside', one internal / 'lan') and two firewalls with transparent bridging
> + PF , filtering all inbound/outbound traffic -- would I even need CARP? Is
> CARP overkill?
>
> I'm thinking in a disaster recovery scenario -- if one firewall blows up.
> There's no logical master/slave relationship, but wouldn't there be minimal
> (if any) downtime?
>
>
You don't need carp here if your firewalls are bridges. Your main issue
is that you only have one switch, the simplest redundant solution is 2
bridges running spanning tree.
Tom
More information about the freebsd-pf
mailing list