Setting up a redundant OpenBSD 4.8 firewall

Jurjen Bokma

November 2010


Table of Contents

Introduction

I want a redundant pair of firewalls for my home network, with CARP, redundant DHCP, redundant Kerberos, redundant LDAP, redundant BIND and maybe more. Let's see how far we get with a pair of Soekris. Earlier work on these boxes includes Conference under Docker, Conference under Docker (both with DHCP and BIND), Conference under Docker, Conference under Docker, Conference under Docker (old PF config), Conference under Docker and Conference under Docker (only the drawing, this section is the redo of that), and Conference under Docker, which is only the OS install.

So I connected things like in Conference under Docker. The dual firewalls are connected to three switches: an inside, and outside and a management switch. Both the management switch and the outside switch are connected to my usual firewall/router, but in different subnets, and traffic to/from the management network is much more restricted. The dual firewalls are also connected directly to one another. There is a PC from which most of the configuration of the dual firewalls will be done (through rsync and ssh), and a test PC from which to try whether the setup works. When the dual firewalls prove functional, the network layout will be altered, but this is the setup for now.

Figure 1.  Home network with dual firewalls ready for setup inside the network
Home network with dual firewalls inside the network ready to be set up

Figure 2.  Two redundant routing firewalls
Two interconnected firewalls protecting a server in a NATted network section