Hi,
> Say the webservers are named internally 10.0.0.1 and 10.0.0.2. Is it possible > to create two CARP interfaces, say 10.0.0.3 and 10.0.0.4, where server > 10.0.0.1 is master of CARP 10.0.0.3 and 10.0.0.2 is master of CARP 10.0.0.4. > Then, use rdr load balancing on the firewall to hit the .3/.4 CARP addresses, > instead of the server addresses. > At first glance this looks like it would work - if either server dies the > other will take over master of both IPs and pf will not care. > My only thought is it might complicate SSL connections which are per-IP, but > then it shouldn't be a problem to make the same SSL virtual host respond to > the two CARP addresses (or however many more CARP pairs I need to create for other sites). > Does this sound workable, or will I need to resort to something like > Pound on the webservers? It might work, but carp itself has a basic load balance (based on hashes of the source IP) in itself. works well with ssl and the like. look for the arpbalance feature. So I think you do not really need to do rdr packets to the webservers itself. lars -- Echte DSL-Flatrate dauerhaft f|r 0,- Euro*! "Feel free" mit GMX DSL! http://www.gmx.net/de/go/dsl