Carp design verification
-
I am designing a new firewall solution for my network and i want to check my logic. I am going to virtualize the firewalls so i have better access to them in the server cluster.
internet – xen1 nic -- firewall 1 -- internal network
||carp ||switch
internet -- xen2 nic -- firewall 2 -- internal networkfirewall 1
wan x.x.x.2 public ip
lan x.x.1.2 private net for management
sync x.x.2.2 dedicated net to other firewall
dmz x.x.3.2 virtual server netfirewall 2
wan x.x.x.3 public ip
lan x.x.1.3 private net for management
sync x.x.2.3 dedicated net to other firewall
dmz x.x.3.3 virtual server netcarp vip x.x.x.? carp inbound for dedicated ip to virtual server
carp vip x.x.1.1 lan gateway
carp vip x.x.3.1 dmz gatewayI am trying to avoid when wall1 is shutdown for maintenance or failure wall2 keeps everything alive.
Another thing i would like it to share the load but im not sure how that might work.
-
That setup would work for failover, yes, though you might want to call that dedicated interface "SYNC" to avoid confusing people when posting about it.
pfSense doesn't support active-active, so you can't do load balancing between the two boxes.