hi alec, alexander lind wrote: > Is it possible to have two OpenBSD bridging firewalls work together > with CARP now?
What do you mean by "work together"? Only fail-over? load-share? > > In the past I know it has been impossible to use CARP between two > bridging firewalls, but reading the 4.1 -> 4.2 changelog, I learned > about this change: > > Update the ifp of bridge cache entries if the entry is not static. > This makes carp(4) fail-over work over bridge(4). I think this means only that it is possible to use carp over bridges, not for bridges. but maybe I'm wrong. :-) > > So my question is, am I understanding this right if I say that it is > indeed possible to set up a pair of redundant carped firewalls using > OpenBSD 4.2 or above? Bridges are layer 2, carp is layer 3 (it shares IP addresses). So carp can not handle this by its nature I think. Just place the both bridges in your LAN and you have your fail-over solution. I've never done something with openbsd bridges but as I know it from bridge-utils from linux you can set STP priority and costs to influence spanning tree path selection. Of course your LAN switch should be capable of basic spanning-tree functions as well. after the first bridge goes down, spanning tree takes automatically the next best path by setting the needed switchports to forward (instead of blocking). bests Marco > > Alec
