Carp design verification

  • I am designing a new firewall solution for my network and i want to check my logic. I am going to virtualize the firewalls so i have better access to them in the server cluster.

    internet – xen1 nic -- firewall 1 -- internal network
                                    ||carp                  ||switch
    internet -- xen2 nic -- firewall 2 -- internal network

    firewall 1
    wan x.x.x.2 public ip
    lan x.x.1.2 private net for management
    sync x.x.2.2 dedicated net to other firewall
    dmz x.x.3.2 virtual server net

    firewall 2
    wan x.x.x.3 public ip
    lan x.x.1.3 private net for management
    sync x.x.2.3 dedicated net to other firewall
    dmz x.x.3.3 virtual server net

    carp vip x.x.x.? carp inbound for dedicated ip to virtual server
    carp vip x.x.1.1 lan gateway
    carp vip x.x.3.1 dmz gateway

    I am trying to avoid when wall1 is shutdown for maintenance or failure wall2 keeps everything alive.

    Another thing i would like it to share the load but im not sure how that might work.

  • That setup would work for failover, yes, though you might want to call that dedicated interface "SYNC" to avoid confusing people when posting about it.

    pfSense doesn't support active-active, so you can't do load balancing between the two boxes.

Log in to reply