The way the setup is currently done is with an external connection to a single ISP. For both IPv4 and IPv6 on the external side the configuration is all static address assignment, with a single default route towards the ISP and the ISP has a single static route (well, one route for IPv4 and one for IPv6) for the delegated IPv4 and IPv6 ranges we were assigned that points towards the IPv4 and IPv6 CARP VIPs I've configured on the external side. So from an ISP-to-me point of view it's very simple and it works. I do not run any IPv6 routing advertisements on that external side since everything is configured statically.
My question and concern is really from an internal perspective. That being said, I realized I was doing it wrong when I read your "get you RA-daemon to advertise on that CARP interface". I was configuring /etc/rad.conf with "interface em1", when I now realize I should have put "interface carp0" instead. With this change the RA daemon now sends a single advertisement for the CARP interface's link-local address, which is what I wanted all along. Thanks! -Martin On Thu, Jul 26, 2018 at 6:11 PM Henrik Dige Semark <[email protected]> wrote: > > For a IPv6 only setup I would put a IPv6 anycast address on your > interface on both servers and then announce that in you RA, and use OSPF > between the servers if they are connected to two different > upstream-providers. > > But if you are dependent on a CARP IPv4 and tunneling setup on the > outside for your IPv6 connectivity, so that only one of the servers is > able to route traffic at a time, you would have to put your IPv6 address > as a alias on a CARP for the inside and get you RA-daemon to advertise > on that CARP interface, then it would stop sending on the interface in > backup-state. > > Med Venlig Hilsen / Best Regards > Henrik Dige Semark > > On 2018-07-26 22:57, Martin Gignac wrote: > > Hi, > > > > How does one implement a redundant OpenBSD firewall pair with IPv6? > > > > With IPv4 I would use CARP to have one of the boxes be the > > master/active while the other one is backup/standby. But with IPv6 I > > want to use Router Advertisements so that hosts on the internal > > network can use SLAAC for IPv6 address autoconfiguration. Therefore > > hosts will receive RAs from both OpenBSD boxes and set both as > > possible default GWs in their routing table. > > > > In that case, how do I get the internal hosts to send all traffic to > > the "primary" firewall? I've configured the CARP interface on the box > > with IPv6, but the RAs are still sent from both boxes (master and > > backup) so the RA-configured hosts don't end up using the IPv6 CARP > > VIP at all and I seem to end up with possible asymmetric firewall > > flows. > > > > Thanks, > > -Martin > > > >
