Re: OSPFd, CARP and pfsync
Claudio Jeker a icrit : On Tue, Oct 10, 2006 at 07:59:23PM +0200, Ronnie Garcia wrote: I have an OSPF enabled backbone and want to insert two firewalls. Each firewall will be connected to one different core router. My idea is to setup OSPFd on the interfaces plugged to the core, and CARP on the interfaces plugged to the other side (servers network). I have no routing protocol inside the servers network. From the servers side, trafic will go out from the firewall owning the shared IP (the "master" firewall). From the internet side, trafic will go in from both firewalls, whichever is the neerest from the core router. With this design, a SYN packet can enter thru FW2 and the corresponding ACK packet go back thru FW1. Will pfsync just handle the split sessions happily ? Will it handle the load for, say, 10k pps ? You normaly don't want to do split routing through firewalls. Eventhough pfsync may allow it, it will hurt performance because pfsync updates are done in batches. It is far better to just prefer the active router over the other. (This is actually what OpenOSPFD does (it announces the network only on the active router)). Thanks for all your replies, i will go for the active/standby solution. Instead of using direct connections into your two core routers it would be better to use two interconnected switches to connect all four routers on one LAN. What i called "core routers" are actually two cisco 3560, which are layer 3 switches. Regards, -- Ronnie Garcia
Re: OSPFd, CARP and pfsync
On Tuesday 10 October 2006 19:59, Ronnie Garcia wrote: > I have an OSPF enabled backbone and want to insert two firewalls. > Each firewall will be connected to one different core router. ... > With this design, a SYN packet can enter thru FW2 and the > corresponding ACK packet go back thru FW1. > > Will pfsync just handle the split sessions happily ? Will it handle > the load for, say, 10k pps ? I've tried exactly that and it was not reliable. The solution is pretty simple though, just make sure only one fw at the time is active. I've used Quagga with some ifstated-type hacks to make it work but these days OpenOSPFD sounds like your good friend. Or use CARP on both sides if that's an alternative. /Andreas
Re: OSPFd, CARP and pfsync
* Chris Cappuccio <[EMAIL PROTECTED]> [2006-10-10 20:56]: > Ronnie Garcia [EMAIL PROTECTED] wrote: > > > > Will pfsync just handle the split sessions happily ? Will it handle the > > load for, say, 10k pps ? > > > > with a soekris net4501? no > > with a 500mhz celeron or higher? yes uh, careful. pfsync is not realtime, it is only near-realtime, so a tcp session coming in throught fw A and going out through B _might_ be problematic wrt window scaling and friends. Note the "might", it depends on a number of factors. and no, it is not feasable to make pfsync realtime. -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
Re: OSPFd, CARP and pfsync
On Tue, Oct 10, 2006 at 07:59:23PM +0200, Ronnie Garcia wrote: > Hello, > > I have an OSPF enabled backbone and want to insert two firewalls. > Each firewall will be connected to one different core router. > > My idea is to setup OSPFd on the interfaces plugged to the core, and > CARP on the interfaces plugged to the other side (servers network). I > have no routing protocol inside the servers network. > > From the servers side, trafic will go out from the firewall owning the > shared IP (the "master" firewall). > From the internet side, trafic will go in from both firewalls, > whichever is the neerest from the core router. > > With this design, a SYN packet can enter thru FW2 and the corresponding > ACK packet go back thru FW1. > > Will pfsync just handle the split sessions happily ? Will it handle the > load for, say, 10k pps ? > You normaly don't want to do split routing through firewalls. Eventhough pfsync may allow it, it will hurt performance because pfsync updates are done in batches. It is far better to just prefer the active router over the other. (This is actually what OpenOSPFD does (it announces the network only on the active router)). Instead of using direct connections into your two core routers it would be better to use two interconnected switches to connect all four routers on one LAN. -- :wq Claudio
Re: OSPFd, CARP and pfsync
Ronnie Garcia [EMAIL PROTECTED] wrote: > > Will pfsync just handle the split sessions happily ? Will it handle the > load for, say, 10k pps ? > with a soekris net4501? no with a 500mhz celeron or higher? yes -- "Do you even send e-mails?" "I told you, I'm from the Wild West. I write by hand." -- Chuck Norris
OSPFd, CARP and pfsync
Hello, I have an OSPF enabled backbone and want to insert two firewalls. Each firewall will be connected to one different core router. My idea is to setup OSPFd on the interfaces plugged to the core, and CARP on the interfaces plugged to the other side (servers network). I have no routing protocol inside the servers network. From the servers side, trafic will go out from the firewall owning the shared IP (the "master" firewall). From the internet side, trafic will go in from both firewalls, whichever is the neerest from the core router. With this design, a SYN packet can enter thru FW2 and the corresponding ACK packet go back thru FW1. Will pfsync just handle the split sessions happily ? Will it handle the load for, say, 10k pps ? Kind regards, -- Ronnie Garcia
