[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OT: Re: New PF Discussion Read... Read



Jeff Bachtel <jeff_(_at_)_cepheid_(_dot_)_org> writes:

> It would allow the potential for transparent failover between
> firewalls (no reset connections)

Indeed; see below.

> and also the potential for transparent load balancing (although
> Arvid made clear that he wasn't requesting that, per se).

I can manage without any direct support specifically for that in the
firewall.  VRRP and/or HSRP would be nice, eventually, of course, but
even without that it would be nice if I could do this:


                     Internet
                     |      |
                   Router Router   <-- These already talk HSRP
                   __|______|__
                    |        |
                   FW1      FW2    <-- These would interchange
                  __|________|___        state table entries
                   |  |  |  |  |
                  WS WS WS WS WS   <-- Half of these web servers
                                      would default route through
                                    FW1; the other half through FW2.


Without something more than just state table synchronization, the
routers would mostly route incoming packets through only one of my
firewalls; as long as the outgoing traffic exceeds the incoming
traffic, this would still give me load balancing where it counts.

And, assuming either that both the routers and the web servers can
have more than one static route to a given network (the default net,
in the case of the web servers) or that I run a routing protocol, this
gives me transparent failover without breaking connections.


--

Arvid