Joseph Hardeman wrote:
One other question now that I think of it.
Does CARP work between two firewalls that are running in full Bridge
mode, no NATing done at all, just port blocking on the WAN interface?
We have two firewalls and I want to make sure any states are kept intact
on the chance we have to failover to the secondary.
I've done something similar with a CARP cluster that has a LAN and DMZ,
where the DMZ is bridged to WAN. I have my switches doing STP and
shutting down the ports for the inactive firewall, but there are other
ways to get it done, too.
There are a couple concepts discussed in this forum thread:
http://forum.pfsense.org/index.php/topic,4984.0.html
Those involve keeping the bridge interface on the backup unit down until
it becomes master. The first is a script that runs from cron that checks
every minute to see if the change has happened, and keeps brings the
bridge up if a system is master. The main downside is that you have to
wait on the cron script to run to see the change.
The second is only possible in 1.2.3-RC snapshots and on 2.0, where you
can use devd to catch the transition event and call a script to change
the bridge accordingly at the exact moment it happens, no waiting for
cron to run and pick up on the change. Going this route is faster, but
may cause some weirdness if you see the CARP transition flapping at all.
In 2.0 I believe you can configure STP right on the bridge interface
which may be the better way in the long run.
Jim
-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
