Hi We wanted to do something similar - but try consider connecting one FW/router to ISP1 and the second to ISP2. Because if you use CARP to failover BGP sessions, you would loose the connection shortly. Your upstream ISPs detect this and withdraw your /24 from their routing table.. and propagating this further on. Maybe you end up "route flap dampened".
(Although it is possible - the "keyword" in bgpd.conf is "depend on") We connect one router to ISP1 and one to ISP2 and do CARP on the inside interface (which is the default gateway for all clients). Works perfectly for us. Regards, Reto > -----Urspr|ngliche Nachricht----- > Von: peceka [mailto:[EMAIL PROTECTED] > Gesendet: Freitag, 13. Januar 2006 17:49 > An: misc@openbsd.org > Betreff: CARP on firewalls connected to ISP and OpenBGPd > > > Hi, > > i need some suggestions from you. The problem I have is > decribed below: > > i'm building network as it is drawn on pic > http://devnet.pl/~pck/network.jpg > . > > with isp1 and isp2 i have to set up BGP (i've got public AS) and i'm > thinking to use openbgpd for this. > > to connect to ISP1 i have 1.1.1.4/30. .4/30 is IP for my > router, .3/30 is > for ISP1 router. > to connect to ISP2 i have 2.2.2.4/30. .4/30 is IP for my > router, .3/30 is > for ISP2 router. > > for DMZ i've got public IPs /24, for example: 3.3.3.0/24. > > FW3 and FW4 are exactly the same machines, they've got 4 > ethernets, for > example: > e0: 1.1.1.4/30 (ISP1) > e1: 2.2.2.4/30 (ISP2) > e2: 3.3.3.1/24 (ISP3) > e3: for pfsync between FW3 and FW4 > > i want to set CARP on ISPs and DMZ side. is it possible? I > have only one IP > for connecting to ISP, so can i set 192.168.0.1/24 and > 192.168.0.2/24 on e0 > and then make hostname.carp0 with ip address 1.1.1.4/30? and > something like > this on ISP2 side. > > and how to compile this with openbgpd? will openbgpd work in > master-slave > technology? > > and second question is how can i resolve problem like this: > i've got two machines in dmz (on public ip) which do the same > (ie.: web > servers): > 3.3.3.40 > 3.3.3.41 > > and one of them dies, so redirect all traffic two the second > machine. should > i do it with rdr rule? like: > rdr on $ext_e0 proto tcp from any to 3.3.3.40 port 80 -> > 3.3.3.41 port 80 > rdr on $ext_e1 proto tcp from any to 3.3.3.40 port 80 -> > 3.3.3.41 port 80 > > or something else? > > thanks for any advice, > p.
