While trying to "transpose" a working two-stage active-passive firewall from an enterprise network with a _fixed_ public Internet address to a much smaller home setup that must live with a _dynamic_ public IP address assigned by the DHCP server of my ISP, I observe that running dhclient(8) on carp(4) interface does not work as expected:
[EMAIL PROTECTED]:root]# ifconfig carp11 carpdev fxp0 vhid 11 up [EMAIL PROTECTED]:root]# ifconfig carp11 carp11: flags=8803<UP,BROADCAST,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:5e:00:01:0b carp: INIT carpdev fxp0 vhid 11 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:10b%carp11 prefixlen 64 scopeid 0x8 [EMAIL PROTECTED]:root]# ifconfig fxp0 fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:20:e0:68:fe:6c groups: egress media: Ethernet autoselect (100baseTX full-duplex) status: active inet6 fe80::220:e0ff:fe68:fe6c%fxp0 prefixlen 64 scopeid 0x1 inet 10.0.0.201 netmask 0xffffff00 broadcast 10.0.0.255 [EMAIL PROTECTED]:openvpn]# dhclient carp11 DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 2 send_packet: Network is unreachable DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 2 send_packet: Network is unreachable DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 2 send_packet: Network is unreachable DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 2 send_packet: Network is unreachable ^C It appears that dhclient does not like the fact that carp11 is in INIT state. Try a naive work-around and bring carp11 into MASTER state by assigning an fixed alias IP address to it: [EMAIL PROTECTED]:root]# ifconfig carp11 1.2.3.4 netmask 255.255.255.0 up [EMAIL PROTECTED]:root]# ifconfig carp11 carp11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:5e:00:01:0b carp: BACKUP carpdev fxp0 vhid 11 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:10b%carp11 prefixlen 64 scopeid 0x8 inet 1.2.3.4 netmask 0xffffff00 broadcast 1.2.3.255 [EMAIL PROTECTED]:root]# dhclient carp11 DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 1 DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 2 DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 5 DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 8 DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 11 DHCPDISCOVER on carp11 to 255.255.255.255 port 67 interval 16 ^C [EMAIL PROTECTED]:root]# tcpdump -i fxp0 -n port 67 or port 68 tcpdump: listening on fxp0, link-type EN10MB 12:40:57.000270 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:40:57.031501 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:40:58.011180 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5 secs:2 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:40:58.019206 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 secs:2 Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:41:00.017143 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5 secs:4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:41:00.020060 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 secs:4 Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:41:05.027505 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5 secs:9 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:41:05.036755 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 secs:9 Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:41:13.038056 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5 secs:17 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:41:13.053316 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 secs:17 Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:41:24.048927 0.0.0.0.68 > 255.255.255.255.67: xid:0xf2d76fa5 secs:28 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] 12:41:24.057559 10.0.0.2.67 > 10.0.0.202.68: xid:0xf2d76fa5 secs:28 Y:10.0.0.202 S:10.0.0.4 ether 00:00:5e:00:01:0b [|bootp] [tos 0x10] ^C 218 packets received by filter 0 packets dropped by kernel The DHCP server (dhcpd) at 10.0.0.2 replies and assigns the dynamic address 10.0.0.202 to the requesting client. However, dhclient on carp11 apparently does "never get it". Additional info: - The firewall clusters at work and at home both run i486-current; - The setup works fine if a fixed IP address is staically assigned to the CARP interface; - Searching the archives showed that others also stumbled across this difficulty earlier. http://archives.neohapsis.com/archives/openbsd/2005-11/2665.html - Apparently, one solution was to write some scripts that bring dhclient up and down whenever one of the cluster's external interfaces goes up or down, eventually using ifstated(8). In response to http://undeadly.org/cgi?action=article&sid=20071012140725&mode=expanded someone offered his scripts to what seems to be exactly a solution to my problem http://undeadly.org/cgi?action=article&sid=20071012140725&pid=2 But, so far, I was unable to locate it. Were those scripts ever published later? Is there a specific reason why dhclient does run on CARP interface as I exepected? Or, was it not implemented because there is niot really a need for this? Are there simply better solutions, for example using ifstated? Otherwise, OpenBSD performs amazingly well in this SOHO setup which uses two recycled old Nokia IP120 boxes (scrapped IPSO/Checkpoint FW-1 for OpenBSD) for the firewall cluster at the inner stage, and two WRAP for the firewall cluster at the outer stage. Thanks for any suggestions and pointers, Rolf