Hello everyone,
I am experiencing difficulties in setting up a firewall using OpenBSD
4.6
w/ CARP interfaces (for future redundancy).
We are running OpenBSD 4.6/i386.
Brief description of the problem: we have a carp interface on the
Internet
side. Our ISP provides us with a /25 network. The ISP router will only
send
traffic for a given public IP address to our box if someone answer to an
ARP request for the public IP address, so we'd like to setup an ARP
proxy
on the OpenBSD box. But it apprently doesn't work.
The firewall has many network interfaces, but only one is relevant to
this
problem. So we have carp8, using the device em7, directly connected to
our
ISP router:
# ifconfig carp8
carp8: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:09
priority: 0
carp: MASTER carpdev em7 vhid 9 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:109%carp8 prefixlen 64 scopeid 0x13
inet XX.XX.215.4 netmask 0xffffff80 broadcast XX.XX.215.127
And the ARP stuff:
# arp -an | grep carp8
? (XX.XX.215.1) at 00:26:0b:03:89:14 on carp8
? (XX.XX.215.10) at 00:00:5e:00:01:09 on carp8 permanent static
published
XX.XX.215.1 is the ISP router. OpenBSD answer to an ARPing on 215.4 (its
principal IP address), but not to an ARPing on 215.10 -- thus the router
doesn't relays the traffic sent to 215.10 from Internet.
The arp(4) man page clearly states that a ``published'' ARP entry will
make OpenBSD act as an ARP proxy and answer to ARP requests for the
given
IP address, even if no interface has it assigned.
Am I hitting a CARP limitation?
I have found a workaround for this: defining an IP alias on carp8 works,
and OpenBSD answer to ARP requests correctly. But i'd like to understand
why the ARP proxy stuff doesn't work :-)
Thanks!
P.S.: Please verify that your answers goes to my e-mail address as well,
because I am not yet subscribed to m...@.
--
Thomas Lecomte
[email protected]
