Hello, We have installed a OpenBSD/PF Firewall-Cluster with CARP, PFSync and load balancing for a VOIP-Provider. Since March, it is installed and is running in a testing environment. If one machine of the cluster is shut down, the customer will recognize that with a short interruption of his phone call (<<< 1s).
Since I left the company and the other person left the company in march, there are no more people there supporting OpenBSD/PF. They decided to buy an Astaro Security Linux Appliance ASG 220 for 8500 sFr. I had the pleasure to install the Astaro-Cluster :-( - I used about 3 days to set up the cluster - The high availability option enables us to keep the interruption up as long as 45s to > 1min. In my tests, all phone calls and streamings get lost, only https downloads get startet again after >1.5 min. - If I configured on two interfaces an ip ofthe same subnet, the machine crashed several times. I had to switch off the power and power up it again. I wanted to configure a bridge (it has to have an IP) and on the third interface an IP of the same subnet as the bridge. - Bridging is possible if you attach an IP to it. If you do not attach an IP to it, it is not possible to define package filter rules. - Transparent Bridging is possible, but then all interfaces of your machine are transparent bridged!!! - If I try to reset the machine to factory defaults, nothing happens. After one hour, I switched off the power because there was no other options to shutdown the machine. After rebooting it, some values are switched back to factory defaults and others not. - Enabling Intrusion detection fails because the green indicator switched back to red if I try to configure the intrusion detection. - Sometimes after I had to power off the machine, the had about 10 minutes or longer to start up (40Gb disk). Sometimes, I had to restart them by switching of the power again to boot them up. - I do not know how they handle the case if one VOIP-Server goes down -updating the packet filter rules ... now, we have a shell script which determines which servers are running and updated/reloads the firewall config. - There is documentation, but the documentation is very lean (Enough for the average user) and sometimes you have to try it out if it works for your environment (how long states are kept for example). OpenBSD has no documentation - but you will find everything in the man pages or on the net. Regards to the OpenBSD developers for this amazing system!!!! And I hope you never have the pleasure with Astaro for advanced firewalls. Regards, Cyrill
