Hi I tried something similar: 2x machines (FreeBSD) with OpenBGPD, CARP (for fail-over of the internal default gateway), PF and pfsync.
I encountered problems especially with assymetric routed traffic. E.g. traffic coming in via router 1, going to the client/server and going out via router 2. pf/pfsync sets up the session and replicates states to the other machine - the connection is established.. but I have massive problems with really transferring data (which means, POP3 login works, small mails are downloaded, but then it interrupts). Maybe I have mistakes in the pf.conf (I use the keep state everywhere..). I am also not sure, if this setup is a clever idea.. anyone? Regards, Reto > I started working for a company that its production site is > running 2 > PIX firewalls with no VRRP (to save cost on licensing, duh). > I offered > and they approved to replace them with 2 OpenBSD and CARP. In > front of > the FW there is a Cisco 7200 router doing BGP. I offered to > remove the > router and use OpenBGP on the OpenBSD firewalls instead, thus > achieving > failover on BGP too. But I don't know whether this is a good idea or > should I add 2 more OpenBSD systems specifically for BPG? > > > TIA > Paolo > > PS - The FWs will be single CPU Dell PowerEdge 1850 systems with > (probably) 1GB RAM.
