* Kapetanakis Giannis <bil...@edu.physics.uoc.gr> [2011-12-03 01:34]:
> On 02/12/11 23:45, Russell Garrison wrote
> >This was very helpful information and I have implemented it, but I am
> >still wondering about a related issue with routing. My default route
> >on the pair of firewalls is set to an IP on the carp5 IP network, so I
> >don't have a useable default route to the Internet on the backup until
> >it fails over. I think that Kapetanakis was referencing that same
> >issue when he responded to me which led to me discovering it on my
> >production setup. Is there anything I can do about this given the /30
> >on the em5/carp5 network.
>
> I had a different problem of arp complains.
>
> My slave had internet access normally since I use /29 network for
> this setup. I was also doing the above to route locally generated
> traffic (both master and slave) from real IP and not the carped one:
>
> pass out quick on $ext_if proto { tcp, udp, icmp } from ($ext_if) to
> $ext_if:network modulate state (if-bound, no-sync)
> pass out quick on $ext_if proto { tcp, udp, icmp } from ($ext_if)
> modulate state (if-bound, no-sync) route-to ($ext_if $ext_gw)
>
> These probably are not needed with a /32 netmask on the carp interface.
>
> >
> >For now I can live with the lack of Internet access on the slave and
> >having to SSH to the master and then hop over to the slave using the
> >/28 for remote management. I did get Internet-sourced SSH access to
> >the backup working with a nat-to on the master, but it was ugly and
> >only worked when I set the translated source to the carp4 IP instead
> >of the master's em4 IP. Ended up rolling it back since the indirect
> >method works well enough. Any possible resolution to the default route
> >issue would be greatly appreciated.
>
> I suggest you don't use the external IP for management for better
> security. If you can use an inside machine as a proxy to connect on
> the internal interfaces of the firewalls.
>
> About the default gw, you may add ifstated(8) in the game to make
> the slave change his gw to the master fw and not the (default)
> remote router.
i really dunno where you diverged, but with the setup i described you
have internet access on the slave too, perfectly fine - given your
carpdevs have routed IPs and you set up the netmasks as I described
and didn't muck the routing.
really, i use that setup all the time.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
