On 1/6/23 02:31, Christer Solskogen wrote:
On Mon, Jan 2, 2023 at 5:14 PM Nick Holland <n...@holland-consulting.net>
wrote:
hiya.
Goal: home (i.e., DHCP external network config) redundant
firewalls with CARP and PFSYNC.
Totally doable. I've been running it like that for the last 7 years at
home.
My ISP doesn't like it when the two firewalls have different mac-addresses,
same here. :)
so I have to do some spoofing on the slave machine.
ifstated is your very good friend here. My /etc/hostname.$extif is empty.
CARP is only in use for the internal interface.
This if my ifstated.conf on mster:
carp_up = "carp0.link.up"
carp_down = "!carp0.link.up"
carp_init = "carp0.link.unknown"
init-state auto
state auto {
if ($carp_up)
set-state fw_master
if !($carp_up)
set-state fw_slave
}
state fw_master {
init {
run "route -qn flush"
run "ifconfig em2 inet autoconf"
run "pfctl -f /etc/pf.conf"
}
if ($carp_down)
set-state fw_slave
if ($carp_init)
run "sleep 2"
}
state fw_slave {
init {
run "ifconfig em2 -inet"
run "route -qn flush"
run "route add default 192.168.0.3"
}
if ($carp_up)
set-state fw_master
}
Does this actually maintain state? I'm thinking pfsync might
not work properly when the external interface "changes" like that.
It wouldn't actually matter much in *my case*, but I'm wondering
about the more general case.
Thanks!
Nick.
