Hello Waldemar, On 24.07.2014 17:44, Waldemar Brodkorb wrote: > Hi Peter, > Peter Hessler wrote, > >> if the addresses on the carp interface are out of sync, then the hashes >> won't mash, and the firewalls *WILL* conflict with each other. >> >> I recommend one IP per carp interface. Far nicer in case you screw that >> bit up, and much easier to balance IPs to one system or the other. > > Thanks for the hints. The previous firewall is managed via > fwbuilder, which does manage all the ip aliases for the wan > interface for us. It seems fwbuilder has some support for carp, > but I am not sure it will work with ip aliases. > > Thanks so far > Waldemar >
we have a similar setup here, with only a /29 range of external addresses. Until now, we have had no problems so far running this using only one external carp IF (using a private IP) and adding all external addresses as aliases. But we do not use bi-nat for our DMZ Servers. As for fwbuilder, we did use it for some years with iptables, but during our switch to OpenBSD found writing pf.conf by hand gave a cleaner and faster fw. The file is under version control and distributed and enabled by Puppet on both our FW-CARP nodes. Cheers, Kim
