Firewall Failover with CARP

This tutorial will be on Firewall Failover with CARP, pf and pfsync. The purpose is to build a redundand firewall, using two FreeBSD boxes, so if one of your firewall will fail, the other will take over (when you really need 24 hours/day internet conectivity, you do not want your hardware to fail). <insert picture> 1. Add KERNEL support on both firewalls for PF and CARP ---------------------------------------------------------------------- Compile your Kernel with support for PF, PFlog, PFsync and CARP by adding the following lines to Kernel config file on bth firewalls, then recompile and install the kernel device pf device pflog device pfsync device carp Also to use ALTQ traffic shaping disciplines, add the following lines to kernel: options ALTQ options ALTQ_CBQ options ALTQ_RED options ALTQ_RIO options ALTQ_HFSC options ALTQ_PRIQ 2. Set sysctl variables -------------------------- You will need to set the following sysctl variables (add them to /etc/sysctl.conf): net.inet.carp.allow=1 net.inet.carp.preempt=1 # failover carp interfaces net.inet.carp.log=1 net.inet.carp.arpbalance=0 # for security net.inet.tcp.blackhole=2 net.inet.udp.blackhole=1 2. Setting firewalls ------------------------- 2.1 Setting Firewall A Add the following line to /etc/rc.conf:

 

< Prev		Next >