I would like to share my battle tested (over 2 years in production), highly available WAN setup based exclusively on components of OpenBSD base system. In this setup, ~30 branch office (spoke) firewalls connect to a pair of (hub) CARP firewalls over two Internet links, each in its own separate rdomain. Traffic is tunnelled by GRE, protected by transport mode IPsec. Dynamic routing and failover are provided by OSPF.

I plan to show detailed network diagrams along with addressing schemes, as well as all the configuration file templates needed for such setup.

Components used in this setup are: carp, bgpd, ospfd, pf, pfsync, gre, isakmpd, ipsec, rdomain.

Marko Cupać For last 12 years I have been designing and maintaining networks and essential network services, exclusively with OpenBSD and FreeBSD. Perhaps it would be interesting for you to check my website, particularly its blog section.