Ezzel a datummal: Saturday 19 April 2008 10.39.29 Claer ezt mrta: > On Fri, Apr 18 2008 at 32:21, G?bri M?t? wrote: > > Ezzel a datummal: Friday 18 April 2008 21.29.18 ezt mrta: > > > On Fri, Apr 18, 2008 at 11:48 AM, Gabri Mati <[EMAIL PROTECTED]> wrote: > > > > This is normal, but is there a way to make the outgoing package to > > > > have the internal CARP device's address as source IP? > > > > > > What would this accomplish? If one of the nginx machines goes down, > > > the TCP sessions won't be able to failover to the other carp peer. > > > I'd prefer to see in my logs which proxy a request came from so I can > > > better diagnose if a particular machine is misbehaving. > > > > You're right, but we need the carp'd IP for statistics on the web > > servers. If one of the machines goes down then the user just have to hit > > the refresh button and she has access to the content again. > > Did you try to NAT the LAN interface with the carp address ? It should > work for self outgoing traffic too. The problem is, if the connection is > issued from the backup firewall you will lost the connection. To bypass > this limitation, you can use ifstated and pf tables. > > - If the LAN interface is in master mode : add the carp address to > the NAT table > > - If the LAN interface is in backup mode : remove the carp address from > the nat table > > Claer
Thank You for all your help! It seems that we found a workaround for this problem and we don't have to temper with the firewall. Mod_rpaf on the webservers will rewrite the incoming IP address. -- Gabri Mate [EMAIL PROTECTED] http://www.duosol.hu Tel: 20/589-5456 [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc ]