I can't get failover of a bridging firewall to work using CARP and OpenBSD 3.7.
All the documentation + googling I've done leads me to believe it
*should* work. I think. But with everything setup all I get is a
flood of ARP requests that paralyze the network and the firewalls.
The setup:
Two computers, each with 4 Ethernet ports:
fxp0 -- WAN -- no IP address
rl0 -- LAN -- no IP address
rl1 -- SSH -- public IP address
rl2 -- pfsync -- directly connected to other computers, IP's are
10.0.0.1 and 10.0.0.2.
fxp0, rl0, rl1 all work fine. bridgename.bridge0 works fine, the
bridges work great on each computer individually), tcpdump indicates
that pfsync (hostname.pfsync0) works fine too.
In addition to settings needed for bridging, net.inet.carp.preempt=1
and net.inet.carp.log=1 are set.
Here are my carp settings for the primary firewall:
hostname.carp0:
up vhid 1 carpdev fxp0 pass passxxxx advbase 3
hostname.carp1:
up vhid 2 carpdev rl0 pass passyyyy advbase 3
and for the secondary:
hostname.carp0:
up vhid 1 carpdev fxp0 pass passxxxx advbase 3 advskew 100
hostname.carp1:
up vhid 2 carpdev rl0 pass passyyyy advbase 3 advskew 100
I tried adding a publicly-routable IP address to carp0 and carp1, but
I got a "couldn't set this IP address" error from those two interfaces
when I ran netstart. Or should I use a non-routable IP here?
pf.conf consists of just:
set loginterface fxp0
pass all keep state
Network looks like:
--------firewall A -----
T1 --> crappy 8-port unmanaged switch --| |
--- unmanaged switch
--------firewall B -----
Any help would be much appreciated!
Ramsey
