I've got two OBSD 4.1 boxes. They are setup identically, and I'm using CARP (& pfsync) to obtain a redundant firewall. I appear to have CARP working fine. My problem is when I enable pf. The initial TCP packet goes through fine, but the return packet gets blocked. (I have verified this by putting "LOG" entries in my ruleset) If I disable PF, everything works fine
Cutting down the pf ruleset to the bare minimum, I have: adsl_if="em2" int_if="em0" pfsync_if="bge0" scrub in set skip on lo block in #These three lines allow the failover mechanisms to work pass on { $int_if } proto carp keep state pass on { $adsl_if } proto carp keep state pass quick on { $pfsync_if} proto pfsync #Allow internal people to SSH in. pass in on $int_if proto tcp to ($int_if) port ssh keep state #ICMP pass in proto icmp to <me> pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 keep state With this config, 172.16.2.34 cannot make a TCP connection to 192.168.249.3. What stupid thing have I missed ? For reference, below are the details of the carp & em interfaces. If anything else is needed, let me know. Thanks, GTG # ifconfig carp0 carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:5e:00:01:01 carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0 groups: carp inet 192.168.253.253 netmask 0xffffff00 broadcast 192.168.253.255 inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0xb # ifconfig carp2 carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:00:5e:00:01:03 carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0 groups: carp inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0xc inet 192.168.249.253 netmask 0xffffff00 broadcast 192.168.249.255 # ifconfig em0 em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:01:c8:30 media: Ethernet autoselect (100baseTX full-duplex) status: active inet 192.168.253.20 netmask 0xffffff00 broadcast 192.168.253.255 inet6 fe80::21b:21ff:fe01:c830%em0 prefixlen 64 scopeid 0x3 # ifconfig em2 em2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:1b:21:01:c8:32 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet 192.168.249.251 netmask 0xffffff00 broadcast 192.168.249.255 inet6 fe80::21b:21ff:fe01:c832%em2 prefixlen 64 scopeid 0x5