Joachim Schipper wrote:
On Tue, Nov 29, 2005 at 10:31:03AM +0100, David Coppa wrote:
On 11/29/05, Joachim Schipper <[EMAIL PROTECTED]> wrote:
Why don't you just put a switch in front of the two firewalls, and then
do CARP (for firewall failover) plus some smart routing tricks (for ISP
failover - search the archives, I forgot the proper keywords)?
pf route-to?
Hmm, wouldn't that require some additional scripting? Would work,
though...
We have this running for several months. Setup is the following
(sorry, no time for ascii art):
*) 2 x obsd37/i386 boxes, 4 NICs each
*) each box connects to both ISPs
*) each box connects to internal LAN
*) the two boxes are interconnected for pfsync purposes
with a dedicated crossover ethernet cable
*) CARPed on "the inside" is the LAN gateway IP address
*) CARPed on "the outside" are IPs for a couple of pub services
*) each box has it's own IP on the inside and the outside
(so, 4 IPs used on the "outside" -- each ISP, each box)
*) pf.conf on both boxes is identical; they differ in the
default route (master box defaults through "master" ISP,
backup box defaults through backup ISP (we want to use
also the backup ISP through the backup box when everything
is OK)
*) upon becoming a master, a box would change its gateway
through the master ISP, plus starting a couple of services
*) upon becoming a backup, a box would change its gateway
through the backup ISP, plus stopping a couple of services
*) upon unavailability of its default ISP (cron+ping checks)
each box would change default gateway to the other ISP
An over-simplified pf.conf would look roughly like this:
"
# nat on both interfaces; default route will "choose" which exactly
nat on $if_isp1 from $net_int to $net_int_not -> $if_isp1:0
nat on $if_isp2 from $net_int to $net_int_not -> $if_isp2:0
block log all
pass proto carp all
pass on $if_loc all
pass in on $if_int from $net_int to any
pass out on $if_int from any to $net_int
# pass from my IPs to everywhere rules
# left as an exercise for the reader
pass on $if_pfsync proto $pfsync_protos from $pfsync_peers \
to $pfsync_peers
# NO KEEP STATE HERE
pass on $if_isp1 proto $pub_serv_proto from any to $pub_serv_IP_on_isp1
pass on $if_isp2 proto $pub_serv_proto from any to $pub_serv_IP_on_isp2
# also, pub IPs are CARPed
# KEEP THE STATE HERE
# FOR PUB SERVICE, IT'S THE *RESPONSE* THAT CREATES A STATE
pass out route-to ($if_isp1 $gw_isp1) from $net_isp1 to $net_isp1_not \
modulate state
pass out route-to ($if_isp2 $gw_isp2) from $net_isp2 to $net_isp2_not \
modulate state
"
I probably forget some minor but important details.
I wish I could get an AS and use BGP to route through both ISPs.
Best Regards,
Stoyan Genov
