Hello, I've two i386 boxes running 3.9-stable acting as redundant firewalls with PF + CARP/pfsync behind a Cisco router.
xDSL | | cisco | | ----- | | FW1 FW2 | | ----- | DMZ Public IP addresses used below are faked. The router: #sh ip int brief Interface IP-Address OK? Method Status Protocol ... FastEthernet0/0 172.16.0.6 YES NVRAM up up FastEthernet0/0.1 172.16.31.6 YES NVRAM up up ... Loopback0 4.3.2.6 YES NVRAM up up #sh ip route static 172.16.0.0/16 is variably subnetted, 4 subnets, 4 masks S 172.16.0.0/16 [1/0] via 172.16.0.1 4.3.2.0/24 is variably subnetted, 23 subnets, 3 masks S 4.3.2.0/29 is directly connected, FastEthernet0/0 The firewalls: # sysctl -a | grep ^net.inet.carp net.inet.carp.allow=1 net.inet.carp.preempt=1 net.inet.carp.log=0 net.inet.carp.arpbalance=0 On the external carp1 interface I have a private address (172.16.0.1, used for routing) and a public IP address alias (let's say 4.3.2.1, used for redirection of services to DMZ hosts). On the internal carp11 interface I have the DMZ to which ports from the public IP address alias are redirected. # route -n show | grep default default 172.16.0.6 UGS 0 180952 - carp1 # ifconfig carp1 carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 carp: MASTER carpdev fxp1 vhid 1 advbase 1 advskew 0 groups: carp egress inet 172.16.0.1 netmask 0xfffffff8 broadcast 172.16.0.7 inet 4.3.2.1 netmask 0xfffffff8 broadcast 1.2.3.7 [EMAIL PROTECTED]:~ # ifconfig carp11 carp11: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 carp: MASTER carpdev vlan11 vhid 11 advbase 1 advskew 0 groups: carp inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255 I'd like to add one more public ip address on the carp1 interface so I do # ifconfig carp1 vhid 1 carpdev fxp1 pass whatasecret alias 4.3.2.2 netmask 255.255.255.248 on the master firewall. Immediately after adding the alias the firewall stops forwarding packets in both directions. I have to reboot the firewall to have it working again, removing the alias is not sufficient. My PF ruleset defaults to 'block drop log all' but tcpdump on pflog0 does not seem to be particularly useful. This is in production too, so I cannot experiment a lot. I have a similar setup working (multiple public ip addresses as aliases on the external interface mapped to internal private addresses on 3.8-stable) but I'm not using CARP there. Any idea why this happens? thanks