Make sure you are not using the same public IPs as VIPs and at the real interfaces with the public Ips of the machines. This indeed can cause some issues (IP-Conflicts).
Holger -----Original Message----- From: sai [mailto:[EMAIL PROTECTED] Sent: Sunday, March 25, 2007 5:06 PM To: [email protected] Subject: Re: [pfSense-discussion] pfsync+carp cluster (XV) On 3/24/07, Eugen Leitl <[EMAIL PROTECTED]> wrote: > > It's this time of the year again: I'm trying to get carp+pfsync 2-node > cluster going. > > (To recap: last time, I downed a network segment with an ARP storm, > and couldn't reclaim one firewall node due to absence of a second crossover serial in place. > I'm going to try again coming Monday). > > I didn't like the 1:1 NAT issue and private addresses originally, but > a few days ago I realized that my hosts already have two interfaces, > one with public IP addresses, and one a private (10.0.0.x/24) network. > The NICs on different networks are also connected to different > switches, both of which are VLAN-capable. The switches are also interconnected. > > If I see this correctly (Holger?) with this setup I should be able > experiment safely (provided, I stay away from another ARP storm), > because I don't need to reconfigure the host addresses. The public > addresses remain as is, and the private addresses can be made > reachable (the only change required is adding a gateway on each host, > because right now there is none). The only plumbing required is > defining a VLAN with the gateway port and the two WAN interfaces of > the firewall. This is always possible to recover from, because the > switches are in front of the firewall. > > Does this make sense, or is there something I'm overlooking? > > Thanks. > > -- > Eugen* Leitl Sounds like you might get loops in that network - be careful about that. I would not use the Public IP address, just the private ip addresses when putting in the firewall. A network diagram of what you are proposing would be much easier to understand - fewer misunderstandings. sai
