Hi misc@,
I am trying to setup a set of "carp"-ed firewalls as follow:
ISP 1 ISP 2
| |
\ /
_____ SWITCH # 1 _____
/ | | \
/ | | \
bge0 bge1 bge0 bge1
| / | /
FW #1 FW #2
| \ | \
em0 em1 em0 em1
\ \________|____ \
\ | \ SWITCH #3
\ |
\____ SWITCH #2
Each ISP has a modem plugged to SWITCH #1.
FW#1 and FW#2 have bge0 set up for ISP 1 and bge1 set up for ISP 2 (one carp
per ISP).
FW#1 and FW#2 have em0 set up for switch #2 and em1 set up for switch #3 (one
carp per switch).
pfsync between FW#1 and FW#2 uses an inet alias on em0 (until IPSec is setup).
FW#1 has sysctl net.inet.carp.preempt set to 1, everything was working as
expected and I was having a ball plugging, unplugging, rebooting and
`ifconfig`-ing interfaces ;-)
Then ... I had to configure the firewall to have all hosts connected to SWITCH
#2 use ISP 1, and all hosts connected to SWITCH #3 use ISP 2.
At first, I read `man route` and after figuring out that it was not possible to
setup a default gateway for each source subnet, I decided to try pf's
``route-to''.
I was told that I should avoid using pf to "fix" routing issues.
What do you suggest ?
If it is PF, what would be the pf rules to have the route-to working and are
they ok to use with carp ?
I tried:
pass in quick on em0 route-to ( bge0 $isp1_gw ) from any to !192.168.0.0/16
keep state
pass in quick on em1 route-to ( bge1 $isp2_gw ) from any to !192.168.0.0/16
keep state
(bge0 (carp2) and bge1 (carp3) setup each one with a different default route
and the -mpath option)
but while it "seemed" to work, carp doesn't seem to like it for some reason
(unplugging some interfaces on current master causes a flood of CARP
advertisements).
Thanks for any hint !
