Hallo! I have used carp ip-stealth balancing for only pass and block rules with two openbsd 4.5 firewalls and https server quite successfully, like this
to isp router is firewalls' default gw |--carp0--| carp0: 192.168.1.170 _|_ _|_ FW1 | | | | FW2 |___| |___| |--carp1--| carp1: 10.0.1.193 | | ----|-------|---------|------|--- | | _|_ _|_ | | 10.0.1.200:443 | | 10.0.1.199:80 |___| https server |___| http server Carp interfaces are created with definitions like this (on the other firewall 1:100,2:0 -> 1:0,2:100) inet 192.168.1.170 255.255.255.248 192.168.1.175 carpnodes \ 1:100,2:0 balancing ip-stealth pass xxx carpdev em0 inet 10.0.1.193 255.255.255.240 10.0.1.207 carpnodes \ 3:100,4:0 balancing ip-stealth pass yyy carpdev em1 And the problem arrives when i add second server (http) and trying to use rdr rules rewriting ip address, essential rules are rdr on $ext_if inet proto tcp to 10.0.1.199 port 8080 tag TO_HTTP \ -> 10.0.1.199 port 80 rdr on $ext_if inet proto tcp to 10.0.1.200 port 80 tag TO_HTTP \ -> 10.0.1.199 port 80 pass in quick on $ext_if inet tagged TO_HTTP pass in quick on $ext_if inet proto tcp to 10.0.1.200 port 443 \ tag TO_HTTP pass out quick on $int_if inet tagged TO_HTTP So the problem is i cant figure out why first rdr works and the second rdr does not. I tested my setup and come out with the following observations 1. when i switch traffic to one or the other firewall, second rdr gets working too (i use ifconfig -g carp carpdemote 50 and to change balanceing back ... -carpdemote 50) 2. in non-working case and logging on passes with 'log (all)' i can see that syn packet enters and leaves thru one firewall and server's reply tries to leave entering the other firewall and gets blocked there (in itself quite rigthfully). I also checked that this syn-ack appears on both firewalls but somehow the right one silently dropped it and the wrong one blocked it. 3. i checked switches mac address tables and they dont have virtual mac address as they should not in stealth mode Most perplexing is that more-or-less the very same setup has been working for me on serveral occasions, one difference is that networking stuff i.e. switches are different, but they should be quite vanilla Cisco stuff and since syn-ack gets onto both firewalls' interfaces but only the wrong ones accepts it i dont suspect switches in the first place. I would appriciate very much your help to solve this situation. I guess it is hard to tell how to fix it but maybe you could point me towards checking or turning attention to something which helps me further. Best regards, Imre PS Actual ip addresses are different but i maintained subnet sizes and numbers used in subnets. Hardware is HP DL360, em0 cards.