0

Scenario: One internet connection with the need to firewall a very high number of pps, without having to invest in expensive hardware firewalls. I do not have a specific number of pps to aim after, but I need to support as much as possible. Therefore I am trying to identify if there are any scalable methods to achieve this. I don't need stateful inspection.

Thought: Will it be possible to terminate the internet connection in a switch, and then in the same switch aggregate for example 2, 3 or 4 ports to go to another switch. In between the two switches, then have a separate firewall server running stateless iptables on each of the 2, 3 or 4 connections? The objective would be to load balance the high number of pps over the different firewall servers. Sort of an active/active/active iptables cluster.

Does anyone know if this would be possible, and if it would require anything specific? I can't seem to find anything similar when googling. I assume the firewall servers will have to be completely transparent somehow, so that the two switches think they are exchanging traffic directly over a single bonded/aggregated/teamed link?

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Firewaller
  • 1

1 Answers1

0

You would have to set the switch ports to "dump" aggregation (no LACP or other control protocol). On the linux box you would need ebtables to filter the traffic.

Be aware that traffic distribution between switchports in the portgroup depends on the hashing algorithm used by the switch. For example Cisco can distribute traffic on src/dst IP mix if configured to do so. Juniper uses L4 information (ports) where available by default.

I'm not aware of anyone using a setup like this so this would be a first. ;)

Another thing to consider: I don't know what your firewalling "needs" are, but if possible try to use ACLs on the router if the router supports hardware ACLs. The silicon on the router is probably much more powerful than any Linux box.

Sebastian Wiesinger
  • 610
  • 5
  • 9