Ironically, IPv6 cannot solve this scenario either, since by definition using ipv6 tends to require a tunnel which would naturally fall to the carped pair which would have the same constraints as the v4 side with regards to sending to/from the internet, yes?
If you presume native v6, however, cudos, it should permit each fw to have its own ip and carp a third :-) -- Todd Fries .. [EMAIL PROTECTED] _____________________________________________ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | "..in support of free software solutions." \ 250797 (FWD) | \ \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt Penned by Paul de Weerd on 20081205 12:11.27, we have: | Hey Felipe, | | On Fri, Dec 05, 2008 at 11:51:05AM +0100, Felipe Alfaro Solana wrote: | | Hi misc, | | | | I've been thinking about this for a while but can't seem to figure out | | a proper solution. Perhaps you have seen an scenario like this before | | and have ideas on how to tackle it. | | | | I have two OpenBSD 4.4 boxes configured in active/backup CARP, | | connected to an ADSL router. I want to reconfigure the ADSL router an | | turn it into a bridge. This way, my public IP address will move from | | the ADSL router into the CARP interface and will be shared by both | | OpenBSD machines. The ADSL router has a built-in hub where both | | OpenBSD machines are plugged into. | | Some years ago, I did exactly this. Configured a ADSL modem for | rfc1483 mode (which my ISP supported) and had two machines behind it | for routing (NATting) my local network out. | | | While the machine whose CARP interface is in ACTIVE won't have | | problems sending and processing traffic, the OpenBSD machine whose | | CARP interface is in BACKUP will. The machine whose CARP interface is | | in BACKUP will be able to send traffic to the Internet from its public | | IP address, but will not be able to process any response, for example | | to contact a NTP server: the UDP response from the NTP server will | | arrive at both OpenBSD machines (since both are sharing the public IP | | address), but the machine whose CARP interface is BACKUP will likely | | ignore the NTP response. For TCP is also very similar. | | I did this before we had openntpd and didn't run "that other" ntpd on | my machines. Internet access was only available when the machine was | CARP master. I think there's two solutions here, both of which have | issues. First solution (only solves the ntp issue), configure your | CARP'ed routers to use an ntpd on your local network (which gets its | time via the same set of CARP'ed routers). The other option is to get | more public IP's from your ISP. This makes your routers accessible | from the internet. | | Downsides are that the first solution requires an extra machine and | the second solution is probably difficult with most ISPs. | | | I have no idea how to deploy an scenario like this, while allowing the | | machine whose CARP interface is in BACKUP to access the Internet. A | | workaround is having the machine whose CARP interface is in BACKUP | | have a default route installed pointing to the machine whose CARP | | interface is ACTIVE. The problem is the setup is more complex and | | requires a way of dynamically adjusting the default route. A possible | | solution is using ifstated(8). Is it possible to use OSPF instead? | | I don't really like that solution. My suggestion would be to try and | minimize the amount of traffic the machines need to send to the | internet (preferably to 0). Maybe use IPv6 (if your ISP does native | v6 on the link) when you can't work around this. | | Cheers ;) | | Paul 'WEiRD' de Weerd | | -- | >++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+ | +++++++++++>-]<.>++[<------------>-]<+.--------------.[-] | http://www.weirdnet.nl/