Hello, I am building a redundant OpenBSD 4.6 firewall for our startup. We will have a block of IP address that we will be NATed and redirect to many internal web servers and an FTP server. We will also have an IPsec VPN from our home office to the production site for management purposes.
So far everything seem to work rather well, but for the following. When the external carp interface fails over to router2, internal websites are no longer accessible.However, If both internal and external carp interfaces fails over to router2, then the sites works fine. I do not wish to have a hostname.capX for each IP in my /27 block of IPs. Thank you for your suggestion on solving this problem. Please find my configuration below. External Carp1: inet 10.125.1.130 255.255.255.0 10.125.1.255 vhid 1 pass Pass12 carpdev rl0 advbase 5 advskew 0 inet alias 10.125.1.131 255.255.255.255 inet alias 10.125.1.132 255.255.255.255 inet alias 10.125.1.133 255.255.255.255 inet alias 10.125.1.134 255.255.255.255 inet alias 10.125.1.135 255.255.255.255 .... Ingernal Carp2: inet 192.168.155.1 255.255.255.0 192.168.155.255 vhid 2 pass Pass34 carpdev fxp0 advbase 5 advskew 0 PF rules: nat on egress from $FONet to any tag EGRESS -> carp1 port 1024:65535 rdr on $ExtIf inet proto tcp from any to carp1 port www tag WEB -> $WebIP port www pass in log on $ExtIf inet proto tcp from any to $IntNet port www pass out log on $IntIf inet proto tcp from any to $IntNet port www
