Home arrow Latest Tutorials arrow Firewall Failover with CARP
Firewall Failover with CARP PDF
Monday, 10 September 2007
This tutorial will be on Firewall Failover with CARP, pf and pfsync. The purpose is to build a redundand firewall, using two FreeBSD boxes, so if one of your firewall will fail, the other will take over (when you really need 24 hours/day internet conectivity, you do not want your hardware to fail).


<insert picture>

1. Add KERNEL support on both firewalls for PF and CARP
----------------------------------------------------------------------
Compile your Kernel with support for PF, PFlog, PFsync and CARP by adding the following lines to Kernel config file on bth firewalls, then recompile and install the kernel

device pf
device pflog
device pfsync
device carp

Also to use ALTQ traffic shaping disciplines, add the following lines to kernel:

options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ



2. Set sysctl variables
--------------------------

You will need to set the following sysctl variables (add them to /etc/sysctl.conf):

net.inet.carp.allow=1
net.inet.carp.preempt=1 # failover carp interfaces
net.inet.carp.log=1
net.inet.carp.arpbalance=0
# for security
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1



2. Setting firewalls
-------------------------


2.1 Setting Firewall A

Add the following line to /etc/rc.conf:






Last Updated ( Wednesday, 12 March 2008 )
 
< Prev   Next >

Other BSD Systems

OpenBSD

Misc

Solaris

Polls

Best BSD firewall?