Setting up a redundant OpenBSD 4.8 firewall
	Part I. Miscellaneous subjects (and those still to be sorted)

Setting up a redundant OpenBSD 4.8 firewall

Jurjen Bokma

Table of Contents

Introduction
Installing the OS
Setting up a user and keys
Setting up rsync from the control interface
Setting up the network interfaces
Turning on PF
Setting up CARP
Setting up DHCP
Making DHCP redundant
Setting up BIND
Making BIND redundant
Setting up Kerberos
Making Kerberos redundant
Setting up LDAP
Making LDAP redundant
More PF rules

Introduction

I want a redundant pair of firewalls for my home network, with CARP, redundant DHCP, redundant Kerberos, redundant LDAP, redundant BIND and maybe more. Let's see how far we get with a pair of Soekris. Earlier work on these boxes includes , (both with DHCP and BIND), , , (old PF config), and (only the drawing, this section is the redo of that), and , which is only the OS install.

So I connected things like in . The dual firewalls are connected to three switches: an inside, and outside and a management switch. Both the management switch and the outside switch are connected to my usual firewall/router, but in different subnets, and traffic to/from the management network is much more restricted. The dual firewalls are also connected directly to one another. There is a PC from which most of the configuration of the dual firewalls will be done (through rsync and ssh), and a test PC from which to try whether the setup works. When the dual firewalls prove functional, the network layout will be altered, but this is the setup for now.

Figure 1. Home network with dual firewalls ready for setup inside the network

Home network with dual firewalls inside the network ready to be set up

Figure 2. Two redundant routing firewalls

Two interconnected firewalls protecting a server in a NATted network section


Hostname fails to give FQDN		Installing the OS