On Aug 20, 2008, at 12:06 AM, Marco Fretz wrote:
Is it possible to have two OpenBSD bridging firewalls work together
with CARP now?
What do you mean by "work together"? Only fail-over? load-share?
Fail-over is my primary concern.
Update the ifp of bridge cache entries if the entry is not static.
This makes carp(4) fail-over work over bridge(4).
I think this means only that it is possible to use carp over bridges,
not for bridges. but maybe I'm wrong. :-)
Ah, that makes sense I suppose since I can't find many references to
this particular scenario elsewhere!
So my question is, am I understanding this right if I say that it is
indeed possible to set up a pair of redundant carped firewalls using
OpenBSD 4.2 or above?
Bridges are layer 2, carp is layer 3 (it shares IP addresses). So carp
can not handle this by its nature I think. Just place the both bridges
in your LAN and you have your fail-over solution. I've never done
something with openbsd bridges but as I know it from bridge-utils from
linux you can set STP priority and costs to influence spanning tree
path
selection. Of course your LAN switch should be capable of basic
spanning-tree functions as well.
after the first bridge goes down, spanning tree takes automatically
the
next best path by setting the needed switchports to forward (instead
of
blocking).
This sounds like the best route for us. I will experiment and see if I
can get it working like this later today.
Thanks for your advice!
Alec
