I've setup successfully a pair of 4.7-current obsd load balanced
firewall/routers
I'd like some clarification on the manual page of carp(4).
from carp(4):
"If IP balancing is being used on a firewall, it is recommended to config-
ure the carpnodes in a >>symmetrical<< manner. This is achieved by simply
using the >>same carpnodes list<< on all sides of the firewall."
Does the manual mean (A)
(fw1-carp0) 1:0,2:100 ----- 1:100,2:0 (fw2-carp0)
(fw1-carp1) 3:0,4:100 ----- 3:100,4:0 (fw2-carp1)
or (B)
(fw1-carp0) 1:0,2:100 ----- 1:0,2:100 (fw2-carp0)
(fw1-carp1) 3:0,4:100 ----- 3:0,4:100 (fw2-carp1)
It seems to me that the manual is referring to the (B) pattern.
However for me only the (A) pattern works.
Just to be sure that I'm not doing something wrong here which works by
accident.
I'm using ip-stealth. There is a window of time, when one of the
firewalls boots,
where the Virtual MAC address appears on the switch. When it timeouts
(I've set 60 seconds on the switch)
it does not appear again and everything works. Is there a way I can
prevent this or does it have to do with the switch?
It's an HP 2810-48G.
There might also be a chance of ip-unicast to work but my inner test
client/router has problem with that.
The outer interfaces works fine. This way I see 4 VMACs on the switch
which stay there (2 of them are mystery cause
they do not appear in any of the firewalls).
Which setup (unicast vs stealth) do you use for Cisco's and HP switches?
And last, how do your firewalls themselves access the internet (cvs
updates) or have internal DNS.
It seems only one of the two (at the same time) can access the internet
(direct) which seems logical.
Do you create some sort of access VLAN for DNS? I could do the DNS
(internal)
that way, but if the obsd take my outer IP then how could both of them
access internet?
regards,
Giannis
