hi all, i am using 2 firewalls via carp. in my design all the external addresses are physically defined on the firewall and are destination natted by the firewall.
so i have 2 carp interfaces carp0 -> ext carp1 -> int and on a separate interface i do pfsynch. i looked at converting pf rules to carp environments, and found following rules to apply: -> pf thinks in phyisical interfaces and carp should only be used if the virtual ip address is needed in a rule. but in my case i have multiple virtual ip addresses, so i have to specificy the ip addresses explicitly anyway. thus i didn't change alot in my rules. everything worked fine, until the following happended: fw1 had carp0: backup carp1: master fw2 had carp0: master carp1: backup in that state the external ip addresses where unreachable. i assume that the return packets are received on in my case fw1, whereas fw2 is active regarding the external interface. did you ever have such a setup? how does your pf rules cope wiht that? do i have to raise the skew? (i have 1 vs 10 on the backup node) is there a way to force both carp interfaces to have the same state, e.g. if carp0 is master so has to be carp1 master ? thanks in advance -- Jakob
