On 16/07/2010 8:08 PM, Keith wrote:
We have setup carp on a pair of firewalls and are a bit confused with
how both LAN/WAN interfaces are meant to fail-over simultaneous
(group?). We are still in the process of getting the firewall rules
setup correctly for our environment and occasionally when we make
changes to (fw1) we mess up and carp kicks in and makes the live wan
(em2) interface move from fw1 to fw2. This is OK but on the LAN side
the (em0) interface is still on fw1?
We have net.inet.carp.preempt=1 set and I belive this is ment to do
some group interface failover but can't see how. Can someone help ?
+----| WAN |----+
| |
em2| |em2
+-----+ +-----+
| fw1 |-em1----------em1-| fw2 |
+-----+ +-----+
em0| |em0
| |
---+------- LAN -------+---
Thanks
Keith
Hey Keith,
It would really help to get a better picture of your situation (and
possibly provide more concrete help) if you could at least provide the
following for each host:
Output from ifconfig, such as
# ifconfig carp
We have no idea without the above information whether there may be a
configuration
error on the carp interface creation, that will be a simple solution if
it is.
Show us the PF configuration file /etc/pf.conf
/etc/pf.conf should obviously have something like the below in it.
pass quick on {em0 em2} proto carp keep state (no-sync)
pass quick on em1 proto pfsync keep state (no-sync)
Check communications between the carp interfaces (em0, and em0)
correctly sends/recieves
carp advertising etc.
Good luck,
Sam T.
