Active/Active filter bridge setup
-
We are looking to implement two pfsense transparent firewalls, we currently have one unit in and are testing it. We have two uplinks from our switches to our routers, the firewalls will go between these. This is a quick diagram to give people an idea..
Traffic can flow over either of the two uplinks. The two switches are trunked accross a port channel. We are looking at two options when implementing this, either put the firewalls in as two independant units and allow them to filter traffic on each uplink or else put them in and set them up in high availability mode active/backup mode.
I am just looking for some opinions on which method people would reccomend, I cannot see any issues with having them as two independant units.. but am I missing something?
-
I would say to run them independently of each other. Someone else can correct me, but I believe that the CARP failover mechanisms do not work with transparent bridge operations.
-
Thank you for the reply. I presume the CARP failover would be used if the firewalls had virtual IPs setup on them instead of just using them as a transparent bridge? Anybody else have opinions on this?
-
Yeah, the carp virtual IPs are for layer 3 virtualization. You would almost need an STP type setup where one interface doesn't pass traffic unless the master fails.
