You cannot get internet access on a backup carp interface, period. I have seen what you see before, and it comes from not starting things up in proper order manually, i.e. configuring a system, and not rebooting it after it was configured so that boot time configs get processed in proper order.
The only way you are going to get a default route going out a carp interface is if you have the carp interface configured first prior to a physical interface for a given network that the default route's gateway is on. Please note that /etc/netstart via the 'ifmstart' function starts trunk/vlan/carp interfaces after normal interfaces, so you should have gotten the first route in your routing table mentioned below to go out the physical interface not the carp interface. Your best bet is to reboot and let the scripts that are designed to do this in the proper order for you do so, as you not only have the default route but the route to the network your default gateway is on going through the carp interface. As a corrilary, for those ISP's who think there is only need for a single /30 for a client's router, the concept of failover routers means 1 physical IP per router, and 1 IP for the failover IP, aka 3 IP's for the client side, dictating a /29. (sorry for this paragraph, but I am not happy with a particular upstream which thinks otherwise and is not willing to change). Thanks, -- Todd Fries .. t...@fries.net _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Michiel van Baak on 20090221 12:24.02, we have: | Hi all, | | I'm having some trouble with a two-node CARP setup. | | Configuration: | | HostA | /etc/hostname.em0 | inet XXX.XXX.XXX.196 255.255.255.244 XXX.XXX.XXX.223 \ | media 100baseTX mediaopt full-duplex description External | | /etc/hostname.em1 | inet 192.168.10.2 255.255.255.0 192.168.10.255 \ | media 100baseTX mediaopt full-duplex description Internal | | /etc/hostname.em2 | inet 10.10.10.1 255.255.255.0 10.10.10.255 \ | media 100baseTX mediaopt full-duplex description pfsync | | /etc/hostname.pfsync0 | up syncdev em2 | | /etc/hostname.carp0 | inet XXX.XXX.XXX.198 255.255.255.224 XXX.XXX.XXX.223 vhid 1 pass foo | inet alias XXX.XXX.XXX.199 255.255.255.224 NONE | inet alias XXX.XXX.XXX.200 255.255.255.224 NONE | inet alias XXX.XXX.XXX.201 255.255.255.224 NONE | inet alias XXX.XXX.XXX.202 255.255.255.224 NONE | inet alias XXX.XXX.XXX.203 255.255.255.224 NONE | | /etc/hostname.carp1 | inet 192.168.10.1 255.255.255.0 192.168.10.255 vhid 2 pass bar | | $ cat /etc/sysctl.conf | grep -v '^#' | net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets | net.inet.carp.preempt=1 # 1=Enable carp(4) preemption | | HostB | Almost the same, but using XXX.XXX.XXX.197 on em0 and 192.168.10.3 on | em1 and 10.10.10.2 on em2 and the carp interfaces have advskew 100 | configured so the box is BACKUP | | Now the problem: | I can reach XXX.XXX.XXX.196 and all configured aliases without trouble. | I can ssh in, relayd relays are working fine and all. If the box goes | down or looses connection the second box takes over and everyone is | happy. | BUT, I cannot reach XXX.XXX.XXX.197 when HostB is in backup state. | My suspicion is that this is a routing issue. Looking at the output of | route -n show: | | HostA: | $ route -n show -inet | Routing tables | | Internet: | Destination Gateway Flags Refs Use Mtu Prio | Iface | default XXX.XXX.XXX.193 UGS 9 53475499 - 48 | carp0 | 10.10.10/24 link#3 UC 1 0 - 48 | em2 | 10.10.10.2 00:15:17:95:c4:43 UHLc 0 1207 - 48 | em2 | XXX.XXX.XXX.192/27 link#6 UC 21 0 - 48 | carp0 | XXX.XXX.XXX.193 00:00:5e:00:01:0c UHLc 1 0 - 48 | carp0 | XXX.XXX.XXX.194 00:17:cb:ab:81:fe UHLc 0 0 - 48 | carp0 | XXX.XXX.XXX.195 00:19:e2:0c:31:fe UHLc 0 0 - 48 | carp0 | XXX.XXX.XXX.196 00:15:17:9f:3d:88 UHLc 0 3 - 48 | lo0 | XXX.XXX.XXX.196/30 link#1 UC 1 0 - 48 | em0 | XXX.XXX.XXX.198 XXX.XXX.XXX.198 UH 0 5 - 48 | carp0 | XXX.XXX.XXX.199 XXX.XXX.XXX.199 UH 0 3 - 48 | carp0 | XXX.XXX.XXX.200 00:00:5e:00:01:01 UHLc 0 6 - 48 | lo0 | XXX.XXX.XXX.201 00:00:5e:00:01:01 UHLc 0 5 - 48 | lo0 | XXX.XXX.XXX.202 00:00:5e:00:01:01 UHLc 0 8 - 48 | lo0 | | HostB: | $ route -n show -inet | Routing tables | | Internet: | Destination Gateway Flags Refs Use Mtu Prio | Iface | default XXX.XXX.XXX.193 UGS 0 190387 - 48 | carp0 | 10.10.10/24 link#3 UC 1 0 - 48 | em2 | 10.10.10.1 00:15:17:95:c2:b6 UHLc 0 565 - 48 | em2 | XXX.XXX.XXX.192/27 link#6 UC 1 0 - 48 | carp0 | XXX.XXX.XXX.193 link#6 UHLc 1 0 - 48 | carp0 | XXX.XXX.XXX.196/30 link#1 UC 0 0 - 48 | em0 | | | Any pointers to get this setup correctly so I can reach the addresses on | the physical interfaces of both boxen, no matter in what CARP state they | are ? | | | -- | | Michiel van Baak | mich...@vanbaak.eu | http://michiel.vanbaak.eu | GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD | | "Why is it drug addicts and computer aficionados are both called users?"
