Router and Firewall Redundancy with OpenBSD and CARP

As more reliance is placed on computing and networking systems, the need for redundancy increases. The Common Address Redundancy Protocol (CARP) protocol and OpenBSD’s pfsync utility provide a means by which to implement redundant routers and firewalls. This paper details how CARP and pfsync work together to provide this redundancy and explores the performance one can expect from the open source solutions. Two experiments were run: one showing the relationship between firewall state creation and state synchronization traffic and the other showing how TCP sessions are transparently maintained in the event of a router failure. Discussion of these simulations along with background information gives an overview of how OpenBSD, CARP, and pfsync can provide redundant routers and firewalls for today’s Internet.