Re: OpenBSD for routing & firewalling a 100Mbit/s connection

[NetOne - Doichin Dokov]

Carl Roberso ??????:
NetOne - Doichin Dokov wrote:
  
The BGP problem is solved by doing this:
    

Thank you very much Doichin for pointing this out: all of you was so
helpful!

Best wishes!rt
  
You're more than welcome!

In fact, we use also a bit more complicated BGP setup. Don't know if it 
would be in any help for you, but i'll describe it here just for the 
thread to be complete in case anyone starts digging :)
The configuration I described in my previous post (3 IPs per upstream 
provider, 2 dedicated, 1 CARP-shared) works flawlessly, BUT traffic goes 
only through one of the routers at a time. As we were not just routing, 
but also doing a lot of shaping, we wanted to loadbalance things and 
make both of the systems do some job when they are both up.
So, the scheme grew from 3 to 4 IPs per upstream provider - 2 dedicated 
IPs for each firewall, and 2 CARP-shared IPs. Firewall #1 was default 
master for shared IP one, Firewall #2 was default master for shared IP two.
Let's say the IPs are:
Firewall #1
========
172.16.0.1 - static, not in CARP, used for BGP communication with upstream
172.16.0.3 - CARP shared, default master
172.16.0.4 - CARP shared, default slave

Firewall #2
========
172.16.0.2 - static, not in CARP, used for BGP communication with upstream
172.16.0.3 - CARP shared, default slave
172.16.0.4 - CARP shared, default master

Then, we told our provider to set nexthop to 172.16.0.3 for networks we 
sent to them with a community COMM1, and having nexthop set to 
172.16.0.4 for networks we sent to them with a community COMM2.
Then, in our BGP setup (equal on both firewalls, despite the IP address 
/ router ID), all we had to do is mark half of the networks, which we 
wanted to go through Firewall #1 by default, with community COMM1, and 
the others to go to Firewall #2 by default, with community COMM2.
Of course, you have to have similiar setup (though probably withouth 
BGP) on the internal side of the firewalls for things to work properly, 
again 2 CARP ifs and traffic originating from the networks routed to 
Firewall #1 and Firewall #2 sent to the very same machine, otherwise you 
run into state problems, shaping problems (if you do that on the 
machines, we do), and maybe something else i could not come up with now :)

By the way, a nice new IP loadbalance option was recently added to CARP, 
which might obsolete the setup I describe, but I've not played with that 
yet.

Whatever you choose to do, you could always come back for help in case 
you need it.

Regards,
Doichin