On Tue, 29 May 2007 13:07:12 +0100, [EMAIL PROTECTED] wrote: > Good Morning, > > I'm currently in the process of configuring a new firewall for my company > and would like to know the following: > > 1. Is it possible to configure OpenBSD firewall interface as follows: > > carp10 - int/ext virtual eth dev (ip of CVI - shared between fw's) > | > vlan10 - int/ext virtual eth dev (ip of NDI - not shared) > | > pcn0 - int/ext eth device (no ip) > > Basically, I'd like to use vlan's on top of physical interfaces, with carp > devices on top of vlan logical interfaces.
I'm not sure why you're using index 10 for your carp and vlan interfaces. Regardless, you can layer them as described (carp -> vlan -> physical (no IP)). WTF are CVI and NDI? ZOMG. > 2. I'm guessing that when the firewall is configured as above, I'll refer > to vlan interface with carp specific IP address (rather than physical > int)? You'll refer to the vlan interface anytime you wish to refer to the underlying interface "device" (e.g., "block in on vlan10 from any to (carp10:network)"). Whenever you wish to the network layer, you refer to the carp interface (i.e., for macro expansion). > 3. Do I need to add virtual IP addresses to the firewall to answer for > each public IP address, or can I simply configure the router to > route all traffic for subnet through IP address of external carp device of > firewall? Please read the PF FAQ. Thanks, -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net
