For a IPv6 only setup I would put a IPv6 anycast address on your interface on both servers and then announce that in you RA, and use OSPF between the servers if they are connected to two different upstream-providers.
But if you are dependent on a CARP IPv4 and tunneling setup on the outside for your IPv6 connectivity, so that only one of the servers is able to route traffic at a time, you would have to put your IPv6 address as a alias on a CARP for the inside and get you RA-daemon to advertise on that CARP interface, then it would stop sending on the interface in backup-state. Med Venlig Hilsen / Best Regards Henrik Dige Semark On 2018-07-26 22:57, Martin Gignac wrote: > Hi, > > How does one implement a redundant OpenBSD firewall pair with IPv6? > > With IPv4 I would use CARP to have one of the boxes be the > master/active while the other one is backup/standby. But with IPv6 I > want to use Router Advertisements so that hosts on the internal > network can use SLAAC for IPv6 address autoconfiguration. Therefore > hosts will receive RAs from both OpenBSD boxes and set both as > possible default GWs in their routing table. > > In that case, how do I get the internal hosts to send all traffic to > the "primary" firewall? I've configured the CARP interface on the box > with IPv6, but the RAs are still sent from both boxes (master and > backup) so the RA-configured hosts don't end up using the IPv6 CARP > VIP at all and I seem to end up with possible asymmetric firewall > flows. > > Thanks, > -Martin >
