代码: 全选
+----| WAN/Internet |----+
| |
em1| |em1
+-----+ +-----+
| fw1 | | fw2 |
+-----+ +-----+
em0| |em0
| |
---+-------Shared LAN-------+---
两个防火墙全通过em0连接到LAN、通过em1连接到WAN/Internet。IP地址如下:
- Firewall 1 (fw1) em0: 172.16.0.1
- Firewall 1 (fw1) em1: 192.0.2.1
- Firewall 2 (fw2) em0: 172.16.0.2
- Firewall 2 (fw2) em1: 192.0.2.2
- WAN/Internet 共享IP: 192.0.2.100
- LAN 共享 IP: 172.16.0.100
下列是对Firewall 1 (fw1)的配置:
代码: 全选
#Enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
#Configure CARP on the LAN side
# ifconfig carp0 create
# ifconfig carp0 vhid 1 pass lanpasswd carpdev em0 \
172.16.0.100 255.255.255.0
#Configure CARP on the WAN side
# ifconfig carp1 create
# ifconfig carp1 vhid 2 pass wanpasswd carpdev em1 \
192.0.2.100 255.255.255.0
如前所述, 我们的策略是让 Firewall 1 充当master. 当配置 Firewall 2 是我们将 advskew 值设定的高一些,因为我们不希望它成为master.
下列是对Firewall 2 (fw2)的配置:
代码: 全选
#Enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
#Configure CARP on the LAN side
# ifconfig carp0 create
# ifconfig carp0 vhid 1 pass lanpasswd carpdev em0 \
advskew 128 172.16.0.100 255.255.255.0
#Configure CARP on the WAN side
# ifconfig carp1 create
# ifconfig carp1 vhid 2 pass wanpasswd carpdev em1 \
advskew 128 192.0.2.100 255.255.255.0