Hello, What doesn't make sense is giving the same IP to two different carp interfaces in the same machine ! You are looking for interface bonding (trunk is the name openbsd uses I think!). Just trunk the two interfaces for each machine and then configure a carp for the trunk interface. If one interface fails it should failover to the next one instead failing to the other node.
But even this way, if one nic fails, the other one is connected to a backup node meaning you will get no traffic passing by... To bypass this you could use ifstated and monitor each interface and have the other firewall to switchover in case of a nic failure in the other firewall. Looks like a mess (already late so my brain is tired and maybe not seeing the whole picture!). John On 14/04/2008, Mikael Kermorgant <[EMAIL PROTECTED]> wrote: > > > What's the point behind this setup ? It doesn't make any sense! > > > > John > > > Well, it makes some sort of sense for me (but as I'm no expert, could > be a sweet dream :) ) so it's best I try to share what I'm looking for > : > > There are 2 level of firewalls : > 1st with fw1 & fw2 protects from internet and manages DMZ > 2nd with ifw1 & ifw2 manages inter-vlan filtering > > I'd like to achive high availability accross these 2 levels, without > the need for a switch between, hence the four red cables. > To be precise, it's also because I want to be able to unplug ifw1 > (which leads ifw2 to take over) without having fw2 taking over fw1 > (which would be the case if I'd only have one nic toward the inside on > fw1) . > > Therefore, if you unplug the link between ifw1 and fw1 (pcn2), pcn3 on > fw1 should be elected as master and talk to the new master on the > other side. > > So, have I changed your mind about it ? > > Best regards, > > -- > > Mikael Kermorgant
