* Kapetanakis Giannis <bil...@edu.physics.uoc.gr> [2011-12-03 01:34]: > On 02/12/11 23:45, Russell Garrison wrote > >This was very helpful information and I have implemented it, but I am > >still wondering about a related issue with routing. My default route > >on the pair of firewalls is set to an IP on the carp5 IP network, so I > >don't have a useable default route to the Internet on the backup until > >it fails over. I think that Kapetanakis was referencing that same > >issue when he responded to me which led to me discovering it on my > >production setup. Is there anything I can do about this given the /30 > >on the em5/carp5 network. > > I had a different problem of arp complains. > > My slave had internet access normally since I use /29 network for > this setup. I was also doing the above to route locally generated > traffic (both master and slave) from real IP and not the carped one: > > pass out quick on $ext_if proto { tcp, udp, icmp } from ($ext_if) to > $ext_if:network modulate state (if-bound, no-sync) > pass out quick on $ext_if proto { tcp, udp, icmp } from ($ext_if) > modulate state (if-bound, no-sync) route-to ($ext_if $ext_gw) > > These probably are not needed with a /32 netmask on the carp interface. > > > > >For now I can live with the lack of Internet access on the slave and > >having to SSH to the master and then hop over to the slave using the > >/28 for remote management. I did get Internet-sourced SSH access to > >the backup working with a nat-to on the master, but it was ugly and > >only worked when I set the translated source to the carp4 IP instead > >of the master's em4 IP. Ended up rolling it back since the indirect > >method works well enough. Any possible resolution to the default route > >issue would be greatly appreciated. > > I suggest you don't use the external IP for management for better > security. If you can use an inside machine as a proxy to connect on > the internal interfaces of the firewalls. > > About the default gw, you may add ifstated(8) in the game to make > the slave change his gw to the master fw and not the (default) > remote router.
i really dunno where you diverged, but with the setup i described you have internet access on the slave too, perfectly fine - given your carpdevs have routed IPs and you set up the netmasks as I described and didn't muck the routing. really, i use that setup all the time. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/