Hello everyone, At work we are using a firewall cluster of two Linux servers but I'm trying to change this; especially to replace iptables/netfilter by pf (mostly for performances and 'easy to maintain' reasons).
Here is the thing: right now if the active node is seen dead, all resources will switch on the other node (via pacemaker/heartbeat); here is the resources managed: - virtuals ips, - firewall's configuration, - routes, - ADSL modems (in bridge mode) interfaces. So here is my issues: 1) Can I group multiple virtuals ips to make them switch all at the same time using CARP ? 2) About modems interfaces, I can't have them UP on both firewalls at the same time. How would you managed that? Currently, I'm thinking about making CARP listen on a dedicated interface (directly connected between the two servers) and manage everything by the up/down scripts. But with that kind of solution there will be no failover if another interface goes down on the active node. Maybe I'm missing something obvious here, in that case please don't hit me too hard ;) Thanks!
