Am Fri, 17 Aug 2012 15:45:31 -0400
schrieb Brian Hechinger <wo...@4amlunch.net>:
> I'm trying to replace my single OpenBSD firewall with a pair of
> redundant firewalls. I've been testing this (thanks to the power of
> VMware) and so far haven't gotten it to work the way I want/need.
[..]
> I'd like OSPF to hand out the carp addresses to the routing tables so
> that pfsync can work its magic when a firewall goes down.
>
> What I've manage to accomplish is one of two things.
>
> 1) OSPF doesn't work at all and never peers up with its neighbor
> 2) OSPF works, but hands out both IPs from the physical interfaces
> and not the carp interface
>
> Does anyone have any experience with getting this setup working? I
> can provide configurations done on the openbsd boxes but really it's
> nothing special that I've done.
We have another setup, especially without Cisco but with CARP and OSPF
as well.
Which version of OpenBSD are you running?
What says
/usr/sbin/ospfctl show rib
/usr/sbin/ospfctl show interfaces
?
Your ospfd.conf?
Very generally speaking: "real" interfaces should get configured if
they connect OSPF-enabled routers. And CARP interfaces should only get
configured with the option { passive } .
If they belong to the same network it might be necessary to play with
metrics. In that case it's often better to leave out the CARP
interfaces because the Ciscos don't need them - they have OSPF to
handle load balancing or failover of the OpenBSD boxes. But ok., I
understand that you prefer CARP in order to make pf keeping track of
open connections during failover.
BTW: Using "ospfctl reload" after a change in configuration or network
topology sometimes has no effect. It might be necessary to kill and
restart ospfd.
RU,
Tobias.
