a shot in the dark: Are you sure that CARP traffic flows freely between the two firewalls, and that they both have the same password? That the IP setup is generally consistent?
All I can say about that is that when I set this up and tested it, everything seemed to be working fine. I was able to tcpdump and see pfsync traffic across the interfaces on both firewalls. I manually failed the primary over to the secondary at that time and it worked. All of this seemed to start happening when I added and then removed the alias from the WAN interface. I've double and triple checked the config on that interface and I can't see that anything is amiss. (Eg. I have trouble with what you call a "WAN" interface - those interfaces that I am aware of, should not be able to support CARP operation because they are point-to-point interfaces.) There is a switch between the firewall and the ISP's router. I've seen this, too, and tracked it down to be either a misconfiguration (eg. a typo), or overlapping networks. I use class C networks, and they don't overlap like what you described. Try "sh netstart <broken-interface>" to see proper error messages. I tried this and got denied permission. I don't see anything useful in the man page on this. Is there something I'm missing? Thanks alot for taking the time to reply. Jon -- View this message in context: http://www.nabble.com/CARP-issues-4.3-tp21322265p21336067.html Sent from the openbsd user - misc mailing list archive at Nabble.com.
