Hi Federico,
Did you try to change the balancing mode to ip-unicast or ip-stealth?
from man carp(4)
IP balancing is activated by setting the *balancing* mode to /ip/. This is
the recommended default setting. In this mode, carp uses a multicast MAC
address, so that a switch sends incoming traffic towards all nodes.
However, there are a few OS and routers that do not accept a multicast
MAC address being mapped to a unicast IP. This can be resolved by using
one of the following unicast options. For scenarios where a hub is used
it is not necessary to use a multicast MAC and it is safe to use the /ip-/
/unicast/ mode. Manageable switches can usually be tricked into forwarding
unicast traffic to all cluster nodes ports by configuring them into some
sort of monitoring mode. If this is not possible, using the /ip-stealth/
mode is another option, which should work on most switches. In this mode
*carp* never sends packets with its virtual MAC address as source. Stealth
mode prevents a switch from learning the virtual MAC address, so that it
has to flood the traffic to all its ports. Please note that activating
stealth mode on a *carp* interface that has already been running might not
work instantly. As a workaround the VHID of the first carpnode can be
changed to a previously unused one, or just wait until the MAC table en-
try in the switch times out. Some Layer-3 switches do port learning
based on ARP packets. Therefore the stealth mode cannot hide the virtual
MAC address from these kind of devices.
If IP balancing is being used on a firewall, it is recommended to config-
ure the *carpnodes* in a symmetrical manner. This is achieved by simply
using the same *carpnodes* list on all sides of the firewall. This ensures
that packets of one connection will pass in and out on the same host and
are not routed asymmetrically.
Cheers,
Rosen
Federico wrote, On 7/16/2009 2:01 AM:
active/active pfsync works absolutely fine, if you have some way to
send traffic to both firewalls. one way you can do that is if you run
OSPF on the firewalls and the router/s in front of them and enable
multipath.
Ok, but I'd like that firewalls share their load, so the traffic coming
from the Internet is managed from both machines (behind those firewall I
have a group of web server).
Maybe I'm missing the point with active/active and load balancing?
