Hi, all. I'm setting up a pair of load-balanced firewalls using carp. I've got nearly everything going, but encountered this in the man page:
"If IP balancing is being used on a firewall, it is recommended to configure the carpnodes in a symmetrical manner. This is achieved by simply using the same carpnodes list on all sides of the firewall. This ensures that packets of one connection will pass in and out on the same host and are not routed asymmetrically." I'm looking for clarification on the statement "using the same carpnodes list on all sides of the firewall." Does this mean that the same list of carpnodes should appear on both external and internal interfaces? i.e (configurations abbreviated for brevity): firewall 1: ifconfig carp0 carpnodes 10:0,20:100,30:0,40:100 #external carp if ifconfig carp1 carpnodes 10:0,20:100 #internal carp if #1 ifconfig carp2 carpnodes 30:0,40:100 #internal carp if #2 firewall 2: ifconfig carp0 carpnodes 10:100,20:0,30:100,40:0 #external carp if ifconfig carp1 carpnodes 10:100,20:0 #internal carp if #1 ifconfig carp2 carpnodes 30:100,40:0 #internal carp if #2 This seems odd to me, and I can't find the practice referenced anyplace else. According to Hansteen's "Book of PF," I should configure the carp interfaces as follows: firewall 1: ifconfig carp0 carpnodes 10:0,20:100 #external carp if ifconfig carp1 carpnodes 30:0,40:100 #internal carp if #1 ifconfig carp2 carpnodes 50:0,60:100 #internal carp if #2 firewall 2: ifconfig carp0 carpnodes 10:100,20:0 #external carp if ifconfig carp1 carpnodes 30:100,40:0 #internal carp if #1 ifconfig carp2 carpnodes 50:100,60:0 #internal carp if #2 Which carpnodes configuration is correct? Won't the former cause vhid conflicts? Thanks for any consideration you folks throw at me.
