Hi guys,
I'm very new to carp. I used openbsd and pf about 2 yrs so I have forgotten
it too. Anyways, I just finished building 2 machines with 3 nics on each
machine. I got CARP working as well but have some questions.
Here is my configuration:
/*******************************************
/* FW1:
/*******************************************
external interface: fxp1 => 192.168.1.1/24
internal interface: xl0 => 172.16.0.1/16
pfsync interface fxp0 => 10.10.10.1/24
carp0: inet 172.16.0.100 255.255.0.0 172.16.255.255 carpdev xl0 vhid 1 pass
lanpasswd
carp1: inet 192.168.1.100 255.255.255.0 192.168.1.255 carpdev fxp1 vhid 2
pass netpasswd
pfsync0: up syncif fxp0
/*******************************************
/* FW2:
/*******************************************
external interface: ne3 => 192.168.1.2/24
internal interface: rl0 => 172.16.0.2/16
pfsync interface fxp0 => 10.10.10.2/24
carp0: inet 172.16.0.100 255.255.0.0 172.16.255.255 carpdev rl0 vhid 1 pass
lanpasswd advskew 128
carp1: inet 192.168.1.100 255.255.255.0 192.168.1.255 carpdev ne3 vhid 2
pass netpasswd advskew 128
pfsync0: up syncif fxp0
LAN shared IP: 172.16.0.100
WAN/Internet shared IP: 192.168.1.100
DIAGRAM:
EXTERNAL
+--------| 192.168.1.x |--------+
| |
fxp1| |ne3
+-----+ +-----+
| fw1 |-fxp0---10.10.10.x---fxp0-| fw2 |
+-----+ +-----+
xl0| |rl0
| |
---+--------| 172.16.x.x |--------+---
INTERNAL
1. Let say we want to do some NAT using CARP/PF setup:
web server public: 192.168.1.10
web server NAT: 172.16.1.10(real ip)
mailserver public: 192.168.1.11
mailserver NAT: 172.16.1.11(real ip)
a. How will I configure CARP?
b. How will I configure the pf.conf on both firewalls? An example will
really help me a lot.
c. Do I also have to create an alias interface for the 2 machine's external
interface?
2. Can someone please send me a pf.conf that can be used in production
environment?
3. Am I correct that my internal mailserver's and webserver's gateway should
point to 172.16.0.100?
4. What if the interface where our pfsync is configured goes bad or cable
gets disconnected, what happens?
5. Other than this setup, are there anything that I can add to make it much
more reliable?
Thanks in advance!
Neil