Arjen Van Drie wrote:
Vinicius Vianna wrote:
If you wanna route packets from the internet to the SW's, you need
some IP on the OpenBSD's interfaces to the switches.
I remember being able to set IP addresses on bridged interfaces with
ifconfig, don't know if this is a good approach but was usable in the
time.
I also did that, set IP addresses on the physical interfaces. I gave
them both the same IP address (since the subnet behind it needs that as
default gateway), but when I pulled out the cable to the master switch
the inet routing table kept pointing towards the NIC that just went
down, and I haven't figured out a way to set the same route on two
different interfaces.
If you need to change routing on the event of a NIC going down you need
to use ifstated(8), check the man page for it on your system or the website.
Maybe your best approach is to set a trunk between the switches, if
you wanna redundancy, maybe there's a need for two openbsd firewalls,
one on each switch?
I also tried a trunk on both nics. STP went away and the switches did
not see each other (as said below). Adding a second firewall is in the
planning, but I first want to get it to work with one firewall.
The trunk would be between the switches, not involving the openbsd fw at
all, so all your switches will appear as one, but i don't know the
details of your network to setup to know if it's the right thing to do,
you have to do some research for it.
Or are you using different subnet's in the switches, and the openbsd
try to decide who is up to forward the packets (like some rdr rules on
pf?).
I would like to set it up as transparant as possible, redirecting
packages in case of path failover is the last thing I want to do.
In Linux (and a friend of mine was nearly certain to have also done it
with freebsd) I can set an IP on an ehternet bridge. I chose openbsd for
carp and pfsync which I use on the external interface (no STP here) for
failover with the to-be-added second firewall.
I did it on OpenBSD, had the internet coming on an em0, the switch on
the em1, a bridge with em0 and em1 with no IP setup on it, and put an
subnet address on em1, so the synproxy rules could route and work on a
transparent bridge firewall, and it did work very well :)
But i think you need some network knowledge, do some research on your
routing table on the firewall, some "route get" commands to check how
the server would route some packets on it, don't know how carp could
help in this setup since it was designed to work on different servers,
not on the same server with different NIC's (am i right here?), but
mixing bridges with IP address, gateway and pf can be difficult sometimes.
Thanks,
Arjen.
You're welcome :)
Vinicius
