On Mon, Feb 15, 2010 at 03:56:36PM -0800, Joseph Fran?ois wrote: > Thank you Scott for your response. If understand you correctly, I should > create a carp interface group for each pair of carp interface and enable > net.inet.carp.preempt so that each time a carp interface in the group fails it > will automatically fail the other. > > am I correct. > > Thank you for your help, > Joe > > > > > ________________________________ > From: Scott Learmonth > <[email protected]> > To: [email protected] > Sent: Mon, February 15, 2010 > 6:30:39 PM > Subject: Re: CARP Failover > > On Mon, Feb 15, 2010 at 03:19:17PM > -0800, Joseph Fran?ois wrote: > > Hello, > > > > I am building a redundant OpenBSD > 4.6 firewall for our > > startup. We > > will have > > a block of IP address that > we will be NATed and > > redirect to many > > internal web servers > > and an FTP > server. We will also have an IPsec VPN from > > our home > > office to the > > > production site for management purposes. > > > > So far > > everything > > seem to > work rather well, but for the following. When the > > external > > carp interface > fails over to router2, internal websites are no > > longer > > > accessible.However, If both internal and external carp interfaces > > fails over > > to router2, then the sites works fine. I do not wish to have a > > > hostname.capX > > for each IP in my /27 block of IPs. > > > > Thank you for your > > > suggestion on solving > > this problem. Please find my > > configuration > > below. > > > > External Carp1: > > > > inet > > 10.125.1.130 255.255.255.0 > > 10.125.1.255 > vhid 1 pass Pass12 carpdev rl0 > > advbase 5 advskew 0 > > inet alias 10.125.1.131 > 255.255.255.255 > > inet alias > > 10.125.1.132 > > 255.255.255.255 > > inet alias > 10.125.1.133 255.255.255.255 > > inet > > alias 10.125.1.134 255.255.255.255 > > > inet alias 10.125.1.135 255.255.255.255 > > .... > > > > Ingernal Carp2: > > inet > 192.168.155.1 255.255.255.0 192.168.155.255 vhid 2 > > pass > > Pass34 carpdev > > > fxp0 advbase 5 advskew 0 > > > > > > PF rules: > > nat > > on egress from > > $FONet to > any tag EGRESS -> carp1 port 1024:65535 > > > > rdr on $ExtIf inet proto > > tcp > from any to carp1 port www tag WEB -> > > $WebIP > > port www > > > > pass in log on > > $ExtIf inet proto tcp from any > > to $IntNet port www > > > > pass out log on > $IntIf > > inet proto tcp from > > any to $IntNet port www > > > > > > If I read > correctly, you probably want to set net.inet.carp.preempt in > sysctl. > > That > should failover all carp interfaces as a group. > >
No, the carp interfaces will already be part of a group. The preempt will cause all carp interfaces of a given machine to failover in the event that any one of them changes it's state.
