On Thu, Nov 24, 2011 at 2:40 PM, Henning Brauer <lists-open...@bsws.de> wrote: > if your carpdev has an IP and the IP(s) on the carp interface are in > the same subnet, is it best to have the real netmask on the carpdev > and all-ones netmasks on the carp interface, for the case where you're > carp slave. > > and the rule of thumb remains, one IP per subnet per rdomain in the > system with the real netmask, all others all-ones - aka /32 for the one > and only real protocol. > >> Example: >> em5 - no IP >> carp5 - 10.0.0.0/30 mask on carpdev em5 > > right. > >> em4 - 9.0.0.0/32 for mgmt >> carp4 - 9.0.0.0/28 acting as gateway for 9.0.0.0 net on carpdev em4 >> carp4 - aliases on 9.0.0.0 with /32 masks on carpdev em4 > > here it is better to have the /28 on em4 and /32 on the carp ifs. > > -- > Henning Brauer, h...@bsws.de, henn...@openbsd.org > BS Web Services, http://bsws.de, Full-Service ISP > Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully > Managed > Henning Brauer Consulting, http://henningbrauer.com/ >
This was very helpful information and I have implemented it, but I am still wondering about a related issue with routing. My default route on the pair of firewalls is set to an IP on the carp5 IP network, so I don't have a useable default route to the Internet on the backup until it fails over. I think that Kapetanakis was referencing that same issue when he responded to me which led to me discovering it on my production setup. Is there anything I can do about this given the /30 on the em5/carp5 network. In the "Firewall Redundancy with Carp and pfsync" section of the PF Users Guide FAQ at http://www.openbsd.org/faq/pf/carp.html there is an example where the WAN/Internet connection has IP addresses assigned on the physical and CARP interfaces. The all ones mask rule isn't set out there, since the ifconfig commands for the underlying physical interfaces aren't included in the examples. In fact, the rule is violated by the included ifconfig commands for the carp IP addresses by including a permissive mask. I am pretty sure this is where my misunderstanding started, since I followed this FAQ to get started on my redundant firewall setup. It may be good to revise this and possibly even add discussion about the default route in the case where you have a /30 from your ISP to deal with. For now I can live with the lack of Internet access on the slave and having to SSH to the master and then hop over to the slave using the /28 for remote management. I did get Internet-sourced SSH access to the backup working with a nat-to on the master, but it was ugly and only worked when I set the translated source to the carp4 IP instead of the master's em4 IP. Ended up rolling it back since the indirect method works well enough. Any possible resolution to the default route issue would be greatly appreciated.
