Gustavo A. Baratto wrote:
..
> FW2 is ready, and the IP for DNS2 is already assigned... So, while
> DNS2 server is not ready, is it possible to setup FW2, so DNS queries
> from the external world can be redirected to DNS1?
>
> It would be basically an rdr reflection on the external interface,
htt
[EMAIL PROTECTED] wrote:
> Hi all :
>
> We've a firewall with 4 interfaces (2 outside to two
> differents routers and
> ISP,1 inside and 1 DMZ),the machine is running a Squid web proxy too,
> we wanna make balancing on outgoing connections only for the
> web traffic, we
> have get to do that, and
As I understand it, preempt is all or nothing. So if I have FW's configured
like,
ISP switch
/ \
| |
FW1-- DMZ --FW2 [That's one DMZ switch]
| switch |
\ /
LAN switch
If I wish FW1 to be primary and FW2 to be secondary I set advskew on FW1 to
be
Agreed, it does smell of race.
Yes, I do preempt on whichever FW I wish the primary to be.
Nope. I figured it was just me.
-Steve S.
Per-Olov Sjöholm wrote:
> After these threads it's now much more clearer to me.
>
..
> It smells like a random race condition problem that occurs only with
> in
Right. When preempt is set any carp interface which has a real interface
down causes all carps to use 240 for the skew. At this point I think it is
simply a race to see which interface takes MASTER. That is why I used
preempt on only one FW. This insures that, in a situation like the one
descri
I know this has been beaten up before but I didn't see this particular issue
addressed.
I have dual firewalls (carp'd) with dual ISPs. I perform outbound load
balancing per the following lines in pf.conf:
nat on fxp0 from $lan_net to any -> (carp0)
nat on fxp1 from $lan_net to any -> (carp1)
pa
I had a similar issue. I ended up using net.inet.carp.preempt=1 on the
primary firewall and net.inet.carp.preempt=0 on the secondary.
If the primary has an issue, the secondary becomes the master on all
interfaces. I must confess I haven't "fully tested" the configuration.
-Steve S.
[EMAIL PROT
Jason Opperisano wrote:
> On Thu, 2004-09-16 at 08:58, Steven S. wrote:
>
> the above seems to be the result of a blocked packet with "set
> block-policy return" or a "block return ..." rule ...SYN goes out but
> SYN-ACK coming back in gets a RST...
Greetings,
I'm experiencing an interesting problem and I'm googled out.
Trying to get mail from a firewall which is the carp master to an internally
hosted e-mail server. The mail server is using a private IP address and the
firewall is using a "binat" rule to translate a public carp IP to the
p