On Mon, Feb 15, 2010 at 03:19:17PM -0800, Joseph Fran?ois wrote: > Hello, > > I am building a redundant OpenBSD 4.6 firewall for our > startup. We > will have > a block of IP address that we will be NATed and > redirect to many > internal web servers > and an FTP server. We will also have an IPsec VPN from > our home > office to the > production site for management purposes. > > So far > everything > seem to work rather well, but for the following. When the > external > carp interface fails over to router2, internal websites are no > longer > accessible.However, If both internal and external carp interfaces > fails over > to router2, then the sites works fine. I do not wish to have a > hostname.capX > for each IP in my /27 block of IPs. > > Thank you for your > suggestion on solving > this problem. Please find my > configuration > below. > > External Carp1: > > inet > 10.125.1.130 255.255.255.0 > 10.125.1.255 vhid 1 pass Pass12 carpdev rl0 > advbase 5 advskew 0 > inet alias 10.125.1.131 255.255.255.255 > inet alias > 10.125.1.132 > 255.255.255.255 > inet alias 10.125.1.133 255.255.255.255 > inet > alias 10.125.1.134 255.255.255.255 > inet alias 10.125.1.135 255.255.255.255 > .... > > Ingernal Carp2: > inet 192.168.155.1 255.255.255.0 192.168.155.255 vhid 2 > pass > Pass34 carpdev > fxp0 advbase 5 advskew 0 > > > PF rules: > nat > on egress from > $FONet to any tag EGRESS -> carp1 port 1024:65535 > > rdr on $ExtIf inet proto > tcp from any to carp1 port www tag WEB -> > $WebIP > port www > > pass in log on > $ExtIf inet proto tcp from any > to $IntNet port www > > pass out log on $IntIf > inet proto tcp from > any to $IntNet port www > >
If I read correctly, you probably want to set net.inet.carp.preempt in sysctl. That should failover all carp interfaces as a group.
