On 02/12/11 23:45, Russell Garrison wrote
This was very helpful information and I have implemented it, but I am
still wondering about a related issue with routing. My default route
on the pair of firewalls is set to an IP on the carp5 IP network, so I
don't have a useable default route to the Internet on the backup until
it fails over. I think that Kapetanakis was referencing that same
issue when he responded to me which led to me discovering it on my
production setup. Is there anything I can do about this given the /30
on the em5/carp5 network.
I had a different problem of arp complains.
My slave had internet access normally since I use /29 network for this
setup. I was also doing the above to route locally generated traffic
(both master and slave) from real IP and not the carped one:
pass out quick on $ext_if proto { tcp, udp, icmp } from ($ext_if) to
$ext_if:network modulate state (if-bound, no-sync)
pass out quick on $ext_if proto { tcp, udp, icmp } from ($ext_if)
modulate state (if-bound, no-sync) route-to ($ext_if $ext_gw)
These probably are not needed with a /32 netmask on the carp interface.
For now I can live with the lack of Internet access on the slave and
having to SSH to the master and then hop over to the slave using the
/28 for remote management. I did get Internet-sourced SSH access to
the backup working with a nat-to on the master, but it was ugly and
only worked when I set the translated source to the carp4 IP instead
of the master's em4 IP. Ended up rolling it back since the indirect
method works well enough. Any possible resolution to the default route
issue would be greatly appreciated.
I suggest you don't use the external IP for management for better
security. If you can use an inside machine as a proxy to connect on the
internal interfaces of the firewalls.
About the default gw, you may add ifstated(8) in the game to make the
slave change his gw to the master fw and not the (default) remote router.
Giannis
