OpenBSD Journal

Redundant Bridging Firewall on OpenBSD

Contributed by sean on from the hitting-your-gear-with-hammers dept.

Teguh Iskanto S. writes: I was looking for a good reference website for redundant OBSD transparent firewall setups and came across this website (http://seattlecentral.edu/~dmartin/docs/bridge.html). Although the document states that it uses 3.6 for the setups but I think it's still quite relevant and applicable. I've also searched through undeadly for any similar posts on this topic and found nothing, so I was thinking it might be useful to post this topic to undeadly as anyone might find it useful.

Note:
The article mentioned uses Cisco switches with STP as the fail over mechanism since CARP doesn't work with bridges. As well, using STP for fail over is not very timely (30 seconds to a minute minimum) but definitely another approach to the problem.

(Comments are closed)


Comments
  1. By Anonymous Coward (205.156.117.1) on

    "The article mentioned uses Cisco switches with STP as the fail over mechanism since CARP doesn't work with bridges."

    Could you not have an IP-enabled third interface on each box with a tight pf ruleset (or maybe a crossover cable) to only allow it to communicate with the other bridge's third interface, and vice-versa?

  2. By Jason L. Wright (134.20.35.80) jason@openbsd.org on http://www.thought.net/jason

    The timing on spanning tree -can- be adjusted on Cisco and OpenBSD. As I understand it, there's also support for fast spanning tree in FreeBSD. I don't know much about it... the author emailed me to as about getting rid of clause 3 & 4 in my spanning tree implementation in OpenBSD. Someone want to port it?

    Comments
    1. By sthen (85.158.44.146) on

      > The timing on spanning tree -can- be adjusted on Cisco and OpenBSD. As I understand it, there's also support for fast spanning tree in FreeBSD.

      here and here, other changes they made since importing bridge(4) include moving configuration across to ifconfig(8) and moving STP out to a separate source file. here is a simple patch to teach tcpdump(8) about RSTP, changes to bridge(4) are a little more...involved...

      Comments
      1. By Brad (216.138.195.228) brad at comstyle dot com on

        > here and here, other changes they made since importing bridge(4) include moving configuration across to ifconfig(8) and moving STP out to a separate source file.

        Just like the separate source file OpenBSD has had for STP for almost 6 years now?

        http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bridgestp.c

        Comments
        1. By sthen (85.158.44.146) on

          > here and here, other changes they made since importing bridge(4) include moving configuration across to ifconfig(8) and moving STP out to a separate source file.
          >
          > Just like the separate source file OpenBSD has had for STP for almost 6 years now?
          >
          > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/bridgestp.c

          ah sorry, yes. I misunderstood their commit message, they actually moved it to a separate kernel module. that's one of their smaller changes then.

  3. By Anonymous Coward (87.79.237.121) on

    "Cisco switches with STP"

    Doesn't bridge(4) do STP as well?

    Comments
    1. By Jason L. Wright (134.20.35.80) jason@openbsd.org on http://www.thought.net/jason

      > "Cisco switches with STP"
      >
      > Doesn't bridge(4) do STP as well?

      Yup. Works fine.

    2. By Pete (80.203.236.21) on

      > "Cisco switches with STP"
      >
      > Doesn't bridge(4) do STP as well?

      yes, but not RSTP, which brings the failover delay down to a more reasonable period.

      /Pete

      Comments
      1. By djm@ (206.59.235.113) on

        > yes, but not RSTP, which brings the failover delay down to a more
        > reasonable period.

        yeah, RSTP (802.1w) would be very nice to have. it has been on my todo list for years now...

        Comments
        1. By reyk@ (82.82.167.119) on

          > yes, but not RSTP, which brings the failover delay down to a more
          > reasonable period.
          >
          > yeah, RSTP (802.1w) would be very nice to have. it has been on my todo list for years now...

          it's mostly done

  4. By reyk@ (82.83.63.114) on

    see http://marc.theaimsgroup.com/?l=openbsd-tech&m=116377683029589&w=2

    RSTP will increase the transition time.

Latest Articles

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]