> On Tue, Jan 03, 2006 at 12:37:29PM +0100, Pailloncy Jean-Gerard wrote: > > And also wrote: > > >The two cables came from two routers of my provider. > > >The two ips (a.b.c.1 and a.b.c.2) are in the same vlan on the two > > >different routers. > > >Broadcast should work. > > >So on outside, a CARP should be the simple thing I have to do. > > > > > >Thank you for the information. > > > > I do not understand how the packets coming from the gateway a.b.c.1-2 > > are able to reach the routers a.b.c.3-4 on the CARP address a.b.c.5. > > The routing table on a.b.c.[12] will simply tell them to push everything > for a.b.c.0/24 out of some interface. It's then up to whatever is > attached to that interface to provide routing. > > (Discarding complicated stuff, routing tables basically look up an IP > address and tell the kernel what interface to use to send packets for > that IP address.)
This all depends how things are connected to the ISP. From 'broadcast should work' and the talk of vlans, it sounds like either there are two ISP-provided routers on the LAN, or it's ethernet-presented and ARP is running over the link. In either of these cases, it will be necessary to either add routes on the ISP routers (which might not be possible, it depends on the ISP), or to proxy-arp (not especially attractive), or to run the firewalls as bridges (probably with STP). Either way it's probably best to discuss this with the ISP. They almost certainly have other customers who want to route traffic via their own firewall. CARP doesn't really affect anything, except that you need a couple of additional addresses outside the firewall. >From previous posts ...: >>>The external interface should be assigned, say, a.b.c.3 resp. >>>a.b.c.4. >>>Give them a netmask of 255.255.255.247. This will allow you 8 This should be .248 (.247 doesn't make sense as a netmask). >>>Now, since more specific entries trump more generic, the Soekrises >>>will route a.b.c.0/28 to the outside routers .248 is /29 For this setup, the ISP would have to configure their routers with 255.255.255.248 netmask on the interface, and add a static route to a.b.c.0/24 via the CARP address. imho it is confusing to have overlapping netmasks and if e.g. the ISP has to do emergency work on the routers, there's more likely to be a problem this way. The other method is to have the small subnet for the ISP routers and the routing-firewalls that is separate from the main block, e.g. d.e.f.0/29 d.e.f.1 ISP router1 d.e.f.2 ISP router2 d.e.f.4 local router1 d.e.f.5 local router2 d.e.f.6 local CARP address On d.e.f.1 and d.e.f.2, the ISP would add a route sending a.b.c.0/24 traffic to d.e.f.6
