I am having the same problem. My topology looks exactly the same as
yours, client-hub-firewalls-hub-server. All interfaces are up and
tcpdump shows shows the carp traffic occurring on both external and
internal interfaces. PFsync traffic is sniffable on the crossover
link. For some reason firewall 1 wants to be a master on both links,
and firewall 2 has one link as master and the other as backup.
shutting down firewall 1 does not cause firewall 2 to take over for
both links. I can ssh to the firewalls from both client and server.
I have verfied that IP forwarding is enabled and I have the same
pf.conf. I too see the duplicate IP messages across the console. I
suspect this is due to my lack of familiarity with PF, but the pf.conf
looks pretty straight forward. I'm at the scratching-my-head phase.
[EMAIL PROTECTED] (Vladimir Potapov) wrote in message news:<[EMAIL PROTECTED]>...
> I have the next topology of network:
>
> ----------- Firewall 1 -------
> Client ----HUB | HUB ---- Server
> ----------- Firewall 2 -------
>
> Client(SUSE 9 box):
> IP-192.168.0.10
> Route-192.168.0.254
> Server(OpenBSD 3.5):
> IP-10.0.0.2
> Route-10.0.0.254
>
> Firewall 1 - master(OpenBSD 3.5):
>
> #/etc/hostname.sk0(internal network):
> inet 192.168.0.254 255.255.255.0 NONE
>
> #/etc/hostname.fxp0(PFSYNC if):
> inet 192.168.254.254 255.255.255.0 NONE
>
> #/etc/hostname.fxp0(Network where server(external)):
> inet 10.0.0.254 255.255.255.0 NONE
>
> #/etc/hostname.carp0:
> inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass good
>
> #/etc/hostname.carp1:
> inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass best
>
> #PF.CONF#
> pass log all
> pass log quick on { fxp0 } pfsync
> pass log on { sk0 fxp1 } proto carp keep state
>
> Firewall 2 - backup(OpenBSD 3.5):
>
> #/etc/hostname.sk0(internal network):
> inet 192.168.0.254 255.255.255.0 NONE
>
> #/etc/hostname.xl0(PFSYNC if):
> inet 192.168.254.254 255.255.255.0 NONE
>
> #/etc/hostname.ne3(Network where server(external)):
> inet 10.0.0.254 255.255.255.0 NONE
>
> #/etc/hostname.carp0:
> inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 advskew 100 pass good
>
> #/etc/hostname.carp1:
> inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 advskew 100 pass best
>
> #PF.CONF#
> pass log all
> pass log quick on { xl0 } pfsync
> pass log on { sk0 ne3 } proto carp keep state
>
> With this configuration I can't access from client to the server through 2
> Firewalls.
>
> 1)I can ping internal and external IP's(on firewalls) from server and from
> client.But can't ping server from client and on the contrary.
> In firewalls log I see that the icmp packet's passed.
> 2)If I reboot firewall-1 in console of firewall-2 shows this message:
>
> /bsd: duplicate IP address 192.168.254.254 sent from Ethernet address
> 00:90:27:57:7e:71
>
> 3)And when I reboot firewall-1(or 2) before it shutting down in console I
> see this message:
>
> ifconfig: SIOCGIFFLAGS device not configured
>
> Where I wrong ?
