Re: OpenBGP on firewall
Hi Henning Thanx for the reply :-) How do I make sure that the master is the one that advertises the routes to avoid asymmetric and packet loss? Since these FW systems will also act as a ISPEC peers (2 permanent and some couple of concurrent road warriors) what would you estimate be a good enough hardware that will keep the load (ball park numbers will do ;-))? TIA Paolo Henning Brauer wrote: * Paolo Supino <[EMAIL PROTECTED]> [2006-02-16 19:54]: I started working for a company that its production site is running 2 PIX firewalls with no VRRP (to save cost on licensing, duh). I offered and they approved to replace them with 2 OpenBSD and CARP. In front of the FW there is a Cisco 7200 router doing BGP. I offered to remove the router and use OpenBGP on the OpenBSD firewalls instead, thus achieving failover on BGP too. But I don't know whether this is a good idea or should I add 2 more OpenBSD systems specifically for BPG? in prinicple, usinf bgpd on teh same machines is fine. you should take care that the car master also is the one that announces the best route to you so that you don't get too assymetric traffic flows. otherwise you'll see performance issues and some packet loss, likely. with seperate machines for bgpd and stateless filtering that is not an issue at all. I always wanted to add something so that you can make a prepend-self 1 depending on carp state... maybe i should revive that idea
Re: OpenBGP on firewall
* Paolo Supino <[EMAIL PROTECTED]> [2006-02-16 19:54]: > I started working for a company that its production site is running 2 > PIX firewalls with no VRRP (to save cost on licensing, duh). I offered > and they approved to replace them with 2 OpenBSD and CARP. In front of > the FW there is a Cisco 7200 router doing BGP. I offered to remove the > router and use OpenBGP on the OpenBSD firewalls instead, thus achieving > failover on BGP too. But I don't know whether this is a good idea or > should I add 2 more OpenBSD systems specifically for BPG? in prinicple, usinf bgpd on teh same machines is fine. you should take care that the car master also is the one that announces the best route to you so that you don't get too assymetric traffic flows. otherwise you'll see performance issues and some packet loss, likely. with seperate machines for bgpd and stateless filtering that is not an issue at all. I always wanted to add something so that you can make a prepend-self 1 depending on carp state... maybe i should revive that idea -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: OpenBGP on firewall
Hi I tried something similar: 2x machines (FreeBSD) with OpenBGPD, CARP (for fail-over of the internal default gateway), PF and pfsync. I encountered problems especially with assymetric routed traffic. E.g. traffic coming in via router 1, going to the client/server and going out via router 2. pf/pfsync sets up the session and replicates states to the other machine - the connection is established.. but I have massive problems with really transferring data (which means, POP3 login works, small mails are downloaded, but then it interrupts). Maybe I have mistakes in the pf.conf (I use the keep state everywhere..). I am also not sure, if this setup is a clever idea.. anyone? Regards, Reto > I started working for a company that its production site is > running 2 > PIX firewalls with no VRRP (to save cost on licensing, duh). > I offered > and they approved to replace them with 2 OpenBSD and CARP. In > front of > the FW there is a Cisco 7200 router doing BGP. I offered to > remove the > router and use OpenBGP on the OpenBSD firewalls instead, thus > achieving > failover on BGP too. But I don't know whether this is a good idea or > should I add 2 more OpenBSD systems specifically for BPG? > > > TIA > Paolo > > PS - The FWs will be single CPU Dell PowerEdge 1850 systems with > (probably) 1GB RAM.
OpenBGP on firewall
Hi I started working for a company that its production site is running 2 PIX firewalls with no VRRP (to save cost on licensing, duh). I offered and they approved to replace them with 2 OpenBSD and CARP. In front of the FW there is a Cisco 7200 router doing BGP. I offered to remove the router and use OpenBGP on the OpenBSD firewalls instead, thus achieving failover on BGP too. But I don't know whether this is a good idea or should I add 2 more OpenBSD systems specifically for BPG? TIA Paolo PS - The FWs will be single CPU Dell PowerEdge 1850 systems with (probably) 1GB RAM.
