It's this time of the year again: I'm trying to get carp+pfsync 2-node cluster going.
(To recap: last time, I downed a network segment with an ARP storm, and couldn't reclaim one firewall node due to absence of a second crossover serial in place. I'm going to try again coming Monday). I didn't like the 1:1 NAT issue and private addresses originally, but a few days ago I realized that my hosts already have two interfaces, one with public IP addresses, and one a private (10.0.0.x/24) network. The NICs on different networks are also connected to different switches, both of which are VLAN-capable. The switches are also interconnected. If I see this correctly (Holger?) with this setup I should be able experiment safely (provided, I stay away from another ARP storm), because I don't need to reconfigure the host addresses. The public addresses remain as is, and the private addresses can be made reachable (the only change required is adding a gateway on each host, because right now there is none). The only plumbing required is defining a VLAN with the gateway port and the two WAN interfaces of the firewall. This is always possible to recover from, because the switches are in front of the firewall. Does this make sense, or is there something I'm overlooking? Thanks. -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
