From owner-freebsd-pf@FreeBSD.ORG Fri Jul 20 17:37:30 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F325116A419 for ; Fri, 20 Jul 2007 17:37:29 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id C384813C459 for ; Fri, 20 Jul 2007 17:37:29 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1IBwPw-0005P4-Ul for freebsd-pf@freebsd.org; Fri, 20 Jul 2007 17:37:28 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1IBwPw-0001Qr-QQ for freebsd-pf@freebsd.org; Fri, 20 Jul 2007 17:37:28 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 4825F8E296; Fri, 20 Jul 2007 12:37:22 -0500 (CDT) Date: Fri, 20 Jul 2007 12:37:22 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070720173722.GB12522@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <867iow7rwk.fsf@zid.claresco.hr> <8e10486b0707191950s2ffd4e89q7484181acba745be@mail.gmail.com> <866fa9520707200813s7938bdbdjdfb57c87dd23e268@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <866fa9520707200813s7938bdbdjdfb57c87dd23e268@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: Single IP failover without carpdev X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jul 2007 17:37:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dalibor Gudzic wrote: > > http://www.openbsd.org/faq/pf/carp.html > > I think You think that one must have two IP addresses to get redundant > failover firewalls with Carp? That is OpenBSD's documentation you are referring to, but this is FreeBSD we are talking about. The implementation is not the same. In order for CARP to be effective, it must send out hello packets on a particular interface. Under OpenBSD, I believe there is a "carpdev" option for ifconfig, which allows you to set the interface explicitly. However, FreeBSD's implementation (at least in 6.x where I'm familiar with it) is missing that option. Instead, the interface is chosen by matching the IP address of the carp interface to the same subnet as the physical interface. In a case where your ISP has only assigned a single IP address to you, you cannot (legally) assign a pair of addresses to your firewalls and then assign a third IP to CARP in order to have it bind correctly to the external interface. Under OpenBSD, you could assign private RFC1918 addresses to the external interfaces, and use "carpdev" to assign a virtual public IP, but it seems that is not possible with FreeBSD. If I am wrong, I hope that someone will correct my understanding. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGoPLSFSrKRjX5eCoRAtUeAJ9H2QPgA3qM2ZxPcXoB5BS1G4c1IwCePeLJ WNohhKo7LneJi/LordOx6OU= =I3jk -----END PGP SIGNATURE-----