On Tue, Nov 10, 2009 at 8:09 PM, Camiel Dobbelaar <[email protected]> wrote:
> > To clarify, CARP is working in terms of redundancy, what does not seem to > be > > working is the preempting of the primary firewall interfaces by the > backup > > firewall should _one_ of the primary interfaces be taken off line > > Use carpdemote. (man ifconfig and see also /etc/rc) > Yes, that works. I think the FAQ needs updating then. This part specifically does not seem correct: http://www.openbsd.org/faq/pf/carp.html#forcefail If you take the physical interface down with ifconfig, then pfsync will take all the other carp interfaces and take them off line. If you take a carp interface off line, then pfsync will not take the other carp interfaces off line. To clarify. Primary firewall with two carp interfaces. Backup firewall with the same two carp interfaces. If you do: <Primrary Firewall> # ifconfig carp1 down then the result is: Primary Firewall: carp0 MASTER carp1 INIT Backup Firewall: carp0 BACKUP carp1 MASTER And no traffic flows. If you do: <Primrary Firewall> # ifconfig vr1 down (vr1 is the interface carp1 is on) then the result is: Primary Firewall: carp0 BACKUP carp1 INIT Backup Firewall: carp0 MASTER carp1 MASTER So that works as expected. I will write a change for the FAQ. Mikel
