The OpenBSD project's documentation is top-notch, eliminating the need for a detailed HOWTO. The reason this exists is to point those interested in the right direction.
Two computers are a requirement for the redundant setup. You'll need at least 2 network interfaces in each machine. Having 3 is strongly recommended, and some use 4. With 4, your interfaces are WAN (no IP address bridged w/ LAN), LAN (no IP address, bridged w/ WAN), pfsync (non-routable IP address), and ssh (routable IP address). With 3, you omit either the pfsync or ssh interface, and assign an appropriate IP address to either the WAN or LAN interface; this shouldn't interfere with the bridge.
The OpenBSD installation guide walks step-by-step through the install process. If you're new to OpenBSD, the manuals and the FAQ are where you should start, whereas this may help if you have experience with other Unix-like operating systems.
Once install is complete, read (at least!) the following man pages:
afterboot,
mygate,
hostname.if,
brconfig.
The following sections of the OpenBSD FAQ explain setting up a standalone bridging firewall:
6.9 - Setting up a
network bridge in OpenBSD
PF: The OpenBSD Packet
Filter
After learning and using the tools above, all that's left to do is configure failover. For that we use pfsync to synchronize the pf state table of our two firewalls, and the Spanning Tree Protocol options supported by brconfig to effect failover:
pfsync
introduction and operation -- Ignore all mention of configuration
options for CARP, as we aren't using it.
brconfig
-- Read the man page thoroughly, especially the Spanning Tree Protocol
related parameters. You'll activate and set these STP parameters in the
bridgename.if file for your WAN and LAN interfaces on both machines (or
using brconfig itself).
bridge
man page notes -- Good information here.
A
good primer on Spanning Tree Protocol -- from ZyXEL.
Understanding
Spanning Tree Protocol -- From Cisco.
Notes and Other Resources:
--When figuring this all out, I posted some questions to the "misc" OpenBSD
email list. This
email contains bridgename.bridge0 files for both master and backup that
are similar to my final configurations.
--On a network with unmanaged switches, it can take between 1 and 3+ minutes
for all devices to properly failover. This is because the MAC address cache
flush time cannot be set on such devices. Lowering the default flush time
on the internal firewall interfaces (using a brconfig parameter) can help.
I understand that some managed switches can be set to flush cache upon
detection of a STP topology change, which would certainly help here.
--The only way that I know of to monitor the Spanning Tree status of the
bridge interfaces (whether they're forwarding or blocked) is by using
brconfig -a. A script that runs on both machines, parses the output of this
command, and warns when failover is detected is advisable.
--Dylan Martin has also written a guide on this subject. His predates mine
by quite some time-you can find it here.
Contact:
Written by Ramsey Tantawi.
Email:
ramsey@oscillations.org
Change Log:
1.0 (January 16, 2006) - Original doc posted.