Matthieu Herrb: Practical use of OpenBSD routing domains with redundant firewalls This talk will present the configuration of redundant firewalls used at LAAS-CNRS (a public research Laboratory in Toulouse, France) to filter IPv4 and IPv6 traffic in the internal network and to the internet.

One issue frequently faced when using CARP in active/passive mode to connect to a network operator who only provides one IPv4 address, is that the passive node has no internet connection and thus cannot be updated or patched easily

OpenBSD supports routing domains (rdomains) to isolate network interfaces and separate their traffic. By using this feature to create a virtual control plane, separated from the actual routing plane (running CARP and pfsync), allows one to access the control interfaces of both firewalls from the LAN and allows outgoing connections from the passive node to the internet through the routing plane.

In this talk I'm going to present the actual setup, a few "howtos" to get things running smoothly and a prototyping setup running fully on OpenBSD using VMM.

Matthieu Herrb: Matthieu Herrb has been working as a research engineer at LAAS-CNRS, in charge of security and robotics for more than 30 years. He is also the main maintainer of Xenocara, the port of the X11 graphics software suite to OpenBSD.