On 30/03/15(Mon) 11:58, David Newman wrote:
> On 3/29/15 12:38 PM, mxb wrote:
> > Probably your PF rules.
> > put in ‘pass quick proto icmp’.
>
> No joy. This did not improve on the existing ICMP rule in pf.conf.
>
> I think the root problem is that on both firewalls the physical and CARP
> interface addresses are bound to lo0 instead of vic1. Here both .98
> (CARP) and .99 (physical) should be bound to vic1 instead of lo0:
>
> netstat -nr -f inet | grep 12.220.174
> default 12.220.174.97 UGS 0 4 - 8 vic1
> 12.220.174.96/27 link#2 UC 2 0 - 4 vic1
> 12.220.174.98 00:00:5e:00:01:dd HLl 0 0 - 1 lo0
> 12.220.174.99 00:50:56:b2:33:0e UHLl 0 8 - 1 lo0
>
> hostname.vic1:
> inet 12.220.174.99 255.255.255.224 12.220.174.127 up
>
> hostname.carp221:
> inet 12.220.174.98 255.255.255.224 12.20.174.127 vhid 221 carpdev vic1
> advskew 1 pass ******
>
> CARP is up and MASTER/BACKUP state changes work between boxes, but
> neither firewall can ping other hosts or vice-versa via the CARP interface.
>
> How to get those interfaces to bind to vic1 instead of lo0?
You cannot do that. You're mixing the words "interfaces" and "IP
addresses" which makes things a bit complicated to understand.
Every IP address configured locally will have the "l" flag in
netstat/route outputs and will be linked to lo0. They are linked to
lo0 to be able to use them locally without send packets to the wire.
In the case of CARP setups the master and the backup nodes have at least
one address in common. Which means that pinging this address from any
of these CARP nodes should not generate packet on the wire.
Now if you configure an IP address of the same subnet on the parent
interface, vic1 in your case, this interface will hold the cloning
route ('C' in your output) and will be used to reach any other address
of the subnet. If you don't to that, then the carp interfaces should
hold the cloning route and their address will be used.
Does that answer your question?
