On Fri, Oct 13, 2006 at 11:57:57AM +0200, Ronnie Garcia wrote: > stan a icrit : > >On Fri, Oct 13, 2006 at 08:44:15AM +0200, Claudio Jeker wrote: > >>On Thu, Oct 12, 2006 at 10:40:57PM -0400, stan wrote: > >>>Is it feasible to run ospf on a carp pair of firewalls? > >>>Is there any documntation as to how to do this? > >>> > >>OSPF does not work on carp(4) interfaces. If you use "interface carp0" > >>ospfd will enforce it to be "passive". > >>A link state protocol can not run on a failover interface because the > >>result > >>is not predictable. > > > >Thanks. > > > >Is there an alternative way to acomplish this? > > > >What I'm trying to do is failry simple. I have a couple of networks > >with OpenBSD CARP's redundant firewalls connecting to a corporate > >admistered network. The corporate network runs OSPF. I don't want > >to have to depend on static routes to these networks, as corporate > >keeps loosing the static routes. > > I'm also interrested in this problem since you (Claudio) told me two > days ago, in the thread "OSPFd, CARP and pfsync" : > > "It is far better to just prefer the active router over the other. (This > is actually what OpenOSPFD does (it announces the network only on the > active router))" > > Which i understood as only the active firewall (the one owning the > shared CARP IP) will announce routes thru OSPF over the CARP interface. >
In a carp(4)/pfsync(4) setup you have only one active firewall and so the active firewall needs to announce the network into the OSPF cloud. Now if a failover happens the other router needs to take over. As soon as the link-state of the carp(4) interface goes up it will start announcing that network. See also http://www.openbsd.org/papers/eurobsd2005/claudio/mgp00023.html -- :wq Claudio
