Firewall Failover With pfsync And CARP 60
Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."
HSRP (Score:4, Interesting)
I wonder... (Score:3, Interesting)
Re:I wonder... (Score:2, Interesting)
First of all, I said Mb, not MB, call me conservative but I'm used to count bandwidth in bits, not bytes.
Second, as I stated, check your NIC and the drivers.
It means a lot when it comes to network handling.
(I remember how out old VAX 11/785 reacted when it shared an non-switched net with 2 sparc servers, the poor VAX was down on it's knees just by trying to ignore the traffic
And as a wider note, the performance of a system isn't only down to processor speed. There's tons of parameters, both hard and soft, that come into play.
Figuring out _what_ parameter to fiddle with is regarded as voodoo
/ hdw
ps
No, I'm no speed guru, neither did I wave a dead chicken and dance backwards while installing that firewall.
I asked for a raw Internet feed to the labnet, and at that time we didn't have anything less then 100Mb/s to hand out. And the server played it nice.
ds.
CARP/pf song for 3.5 Release (Score:5, Interesting)
Re:Conterpoint: Cisco PIX (Score:3, Interesting)
-sirket