Contributed by sean on from the all soekris all the time dept.
I wanted to setup these machines as a failover firewall with CARP and pfsync.
Now there are a lot of documents on the internet how to netboot OpenBSD on in and a lot of other documents about how to setup CARP.
But what is^H^Hwas missing is a complete document that helps you from start to a running failover setup.
I took parts of Ryan's page about CARP, parts of other documents and a lot of info from the manual and started installing and keeping docs at the same time.
Now there actually is a complete document that starts with the netboot and installation of OpenBSD 4.0 on a soekris and guides you all the way to get a working failover setup.
The document can be found here.
Now let's get these nice machines and some OpenBSD 4.0 cd's to install everything!
(Comments are closed)
By shef (shef) shefys@gmail.com on
Comments
By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info
I emulated our 10mbit uplink (work) with a 10mbit switch and I have to say the soekris setup in the middle showed no difference with a setup without the soekris in the middle.
This test setup has 3 webservers, 2 dns servers and a smtp/imap mailserver on one side and 5 workstations hammering the services on the other side.
I'm very confident this setup will handle our hosting setup without trouble. FTP looses 4% of it's speed, but that is only used to update static webpages so no big deal there.
It all comes down how many packets per second your are handling and what type of pf rules you have active. Our setup is real simple:
allow http to webservers, ftp to one ftp server, dns to one server that does not allow recursion and imap to a 500domain mailserver.
I dont think this setup will survive in a 100mbit internetlink, but where do you have those ?
If you have the money to buy a dedicated 100mbit uplink you can also afford some more powerfull firewall setup right ?
By jb (jb) jb@caustic.org on
The only performance hit I've had with my net4501 has been in my pf configuration and line. No issues otherwise, and the impact even under a heavy load has been minimal to non-existent.
By Mitja Muzenic (193.77.241.135) mitja@kerberos.si on http://www.kerberos.si/ENG/Soekris19.htm
Comments
By Brynet (Brynet) on
Man thats sad, The site is using Adobe Flash..
Shame on you...
Comments
By edgarz (159.148.213.71) on
>
> Man thats sad, The site is using Adobe Flash..
>
> Shame on you...
Shame on you, because you live in the middle of 80ties.
Maybe shame is that you can't support or provide something new, only old things?
Comments
By Brynet (Brynet) on
> >
> > Man thats sad, The site is using Adobe Flash..
> >
> > Shame on you...
>
> Shame on you, because you live in the middle of 80ties.
> Maybe shame is that you can't support or provide something new, only old things?
Pardon me? It was a comment about how ironic it is to advertise an OpenBSD product using flash..
When flash doesn't support OpenBSD.. And is closed source..
By phessler (phessler) spambox@theapt.org on http://theapt.org
> >
> > Man thats sad, The site is using Adobe Flash..
> >
> > Shame on you...
>
> Shame on you, because you live in the middle of 80ties.
> Maybe shame is that you can't support or provide something new, only old things?
flash is disgusting crap. its offensive and annoying. even on systems that do support flash, I uninstall it quickly.
requiring flash for simple jpgs is silly and bizzare.
By Anonymous Coward (74.115.21.120) on
By Wim Vandeputte (wvdputte) wim@kd85.com on https://kd85.com/soekris.html
Comments
By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info
it's .... stronger....than.....me
;)
I mean, boring meals, endless discussions about the history of family. _OR_ having fun with OpenBSD.....
What would you do ;)
By jeff (65.120.116.178) on
Wim,
I saw the pictures with the dual 4801's and then saw that kd85 does not ship to my country (USA). Do you know of distributors on my side of the pond who ship such casing hardware? (Or might you be able to provide schematics for the design of the double 4801 box so that I may make my own?)
Wonderful read, looking forward to spending some of my holiday money on a development 4801.
-Jeff
Comments
By sthen (85.158.44.146) on
You might also want to look for resellers of the Yawarra cases for Soekris/pcengines (they also have rackmount cases for some of the Commell boards) - they're Australian and do ship outside .au but don't take international credit cards.
By Wim (89.22.102.81) wim@kd85.com on https://kd85.com/soekris.html
> ship to my country (USA). Do you know of distributors on my side of the
> pond who ship such casing hardware? (Or might you be able to provide
> schematics for the design of the double 4801 box so that I may make my
> own?
Actually if you look at the webform, we do ship to Canada and the US, but
as the case weights about 7 kg, so shipping with UPS is a bit expensive
(don't have the rates in front of me now, but I guess it would be about
EUR 65 to ship)
By Anonymous Coward (24.37.236.100) on
Comments
By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info
Because all articles out there mention /etc/rc
And because this way I have it all at the same page in vi.
It's easier for me to maintain the mfs on one place, including populating stuff and setting permissions.
Comments
By sthen (85.158.44.146) on
> It's easier for me to maintain the mfs on one place, including populating stuff and setting permissions.
It's really simple to maintain the files if you use the -P flag to mount_mfs which you can set in the options column in fstab; you then don't have to worry about merging /etc/rc changes between releases...it's also easy to use rc.shutdown to copy the MFS back onto CF if you want to preserve state (dhcp leases, spamdb and so on).
Comments
By Anonymous Coward (83.5.232.240) on
best wishes to all!
By Matthew R. Dempsky (76.185.92.143) mrd@alkemio.org on
I'd hope you could fit more than just 2 soekris boards in a 19 foot case! :-)
Nice article though. I wish I had the resources to play with carp/pfsync.
Comments
By jb (69.239.198.33) on
>
> I'd hope you could fit more than just 2 soekris boards in a 19 foot case! :-)
>
> Nice article though. I wish I had the resources to play with carp/pfsync.
Actually, I was trying to locate the hardware, and didn't find it. I'd love to see the Net4801 19" case..
Comments
By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info
I bought the hardware from http://www.kd85.com
The image of the case is here. My setup is simular but lacks the extra 2port nic for every soekris.
By Anonymous Coward (24.37.236.100) on
All you need is two boxes, even a second old/cheap system and you're set.
By Anonymous Coward (75.132.109.74) on
I just bought a couple 4801's and am using Bill Maas' mfsmount script for MFS: (script, README).
Comments
By Michiel van Baak (mvanbaak) undeadly@vanbaak.info on http://michiel.vanbaak.info
Thanks for the link.
Thanks to Lasse Bach I found out my soekris boards dont mount / ro at all.
This has to do with syslogd. Bill Maas' script takes care of this.
I wont have time till Jan 2nd to do anything (I'm not going to redo the mfs mounts AND the website tonight *midnight here now* but the setup I described has a flaw when it comes to mounting stuff read-only.
I'll let you all know when I get stuff sorted out and an updated document is on my site.