Failover firewalls with OpenBSD + VMware Server, part I: The network scenario

27 May 2008

My idea was to build/simulate a typical firewall setup with a redundant firewall, where the secondary box takes over if the primary fails. After considering a Linux based solution, I decided to try a BSD based approach, since this OS family seemed very suitable for this kind of setup.

After playing around a bit with some open source based firewall appliances like m0n0wall and pfsense, I did what real men do - and settled for OpenBSD The following draft shows the setup I am planning to implement:

So basically we have the following components:

The external network: ext, 192.168.1.0/24

The internal network: int, 192.168.2.0/24

A special network between the firewalls: pfsync, 192.168.3.0/24

The firewalls have their “own” IP addresses: fw1, x.y.z.240 and fw2, x.y.z.241, where x.y.z are the networks int,ext and pfsync

Both firewalls share “virtual” IP addresses: 192.168.1.254 on ext and 192.168.2.254 on int

In the int network, we have a workstation bsd1 with the IP 192.168.2.10

Normally fw1 operates as primary firewall and filters/forwards packets between ext and int. If a failure occurs, fw2 takes over the virtual IP addresses and operates as firewall/gateway. The pfsync network is a special network between the firewall, reserved for special firewall communication like state syncing.

And since we haven’t got that much spare hardware lying around, we will simulate this scenario with virtual machines based on a VMware server setup.

Since VMware server really has its quirks in this kind of setup, stay tuned for part II: VMware server setup