Hello, No, I'm using hardware machines. I tested what Imre suggested, i.e.: flushing PF states with 'pfctl -F states'. With a freshly booted machine, CARP packets are allowed to pass. I then disabled pf, flushed the states and reloaded pf with the 'block log' rule. At this point, CARP is effectively blocked, and remains so until a reboot happens: adding a pass rule, clearing states or even completely disabling pf had no effects.
I tried using the following rule to let CARP pass: pass quick log inet proto carp no state which leads me to a very odd CARP configuration: fw2 remains master although it should go back to backup state. advskew on fw1 is 50, and 100 on fw2. A closer look at tcpdump revealed that CARP packets sent by fw1 have a demote value of 1, which explains why fw2 remains master as its demote value is 0. What I can't explain is this: fw1~# ifconfig -g carp carp: carp demote count 0 In other words, fw1 says it's demotion counter is null, but the messages sent have a demote value of 1. At the same time, fw1 transitions from backup to master and back again repeatedly, as I saw in /var/log/messages. I tried setting the demotion counter to a higher value, say 10, using 'ifconfig -g carp carpdemote 10' and then I get the expected behavior: fw2 remains master, fw1 remains backup and the demote value displayed by ifconfig is the same as the one that is sent to the other machine. I am not sure how useful a dmesg is in this case, but here is the dmesg.boot from the firewall (with the public IPv6 addresses obscured): http://pastebin.ca/2123109 Marios On 1 March 2012 07:03, Camiel Dobbelaar <c...@sentia.nl> wrote: > On 29-2-2012 23:01, Fridiric URBAN wrote: >> Hello, >> >> Confirmed on a fresh and very simple virtual environnement with 2 >> firewall using latest snapshot (amd64). >> pf.conf containt a single line "block log", nothing is logged on pflog >> and the other firewall on the sharing the link layer still catch carp >> advertisement ! > > Virtual eh? I was wondering where the dmesg was. :-) > > If this is esxi you have to allow promiscious mode on the vswitch. > > Marios, are you using virtual machinery too? Can you post a dmesg > otherwise? > > > -- > Cam
