On Thu, Jul 26, 2018 at 04:57:09PM -0400, Martin Gignac wrote: > Hi, > > How does one implement a redundant OpenBSD firewall pair with IPv6? > > With IPv4 I would use CARP to have one of the boxes be the > master/active while the other one is backup/standby. But with IPv6 I > want to use Router Advertisements so that hosts on the internal > network can use SLAAC for IPv6 address autoconfiguration. Therefore > hosts will receive RAs from both OpenBSD boxes and set both as > possible default GWs in their routing table. > > In that case, how do I get the internal hosts to send all traffic to > the "primary" firewall? I've configured the CARP interface on the box > with IPv6, but the RAs are still sent from both boxes (master and > backup) so the RA-configured hosts don't end up using the IPv6 CARP > VIP at all and I seem to end up with possible asymmetric firewall > flows. > > Thanks, > -Martin
rtadvd will only start on the master, because the interface has to be active. With ifstated, you can automate this (starting, stopping). I don't know, if rad is also dependent on the interface, but once you have the ifstated in place, you would just need to change the name of the daemon and restart ifstated. hth, Marc
