From owner-freebsd-pf@FreeBSD.ORG Thu Jul 19 20:05:24 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 241F316A403 for ; Thu, 19 Jul 2007 20:05:24 +0000 (UTC) (envelope-from fox@verio.net) Received: from dfw-smtpout1.email.verio.net (dfw-smtpout1.email.verio.net [129.250.36.41]) by mx1.freebsd.org (Postfix) with ESMTP id EC9AF13C47E for ; Thu, 19 Jul 2007 20:05:23 +0000 (UTC) (envelope-from fox@verio.net) Received: from [129.250.36.63] (helo=dfw-mmp3.email.verio.net) by dfw-smtpout1.email.verio.net with esmtp id 1IBcFX-0004Al-CX for freebsd-pf@freebsd.org; Thu, 19 Jul 2007 20:05:23 +0000 Received: from [129.250.40.241] (helo=limbo.int.dllstx01.us.it.verio.net) by dfw-mmp3.email.verio.net with esmtp id 1IBcFX-0001dh-8W for freebsd-pf@freebsd.org; Thu, 19 Jul 2007 20:05:23 +0000 Received: by limbo.int.dllstx01.us.it.verio.net (Postfix, from userid 1000) id 7B0B58E296; Thu, 19 Jul 2007 15:05:16 -0500 (CDT) Date: Thu, 19 Jul 2007 15:05:16 -0500 From: David DeSimone To: freebsd-pf@freebsd.org Message-ID: <20070719200515.GA12028@verio.net> Mail-Followup-To: freebsd-pf@freebsd.org References: <469E8445.6080201@uffner.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed Content-Disposition: inline In-Reply-To: <469E8445.6080201@uffner.com> Precedence: bulk User-Agent: Mutt/1.5.9i Subject: Re: pf and proxy arp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jul 2007 20:05:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Uffner wrote: > > on redundant CARP firewalls where it is not obvious how the shell can > determine the shared MAC address of carpN and presumably only the the > box with the fastest heartbeat should be proxying unless it goes down. The MAC used for CARP interfaces is 00:00:5e:00:01:, where the last octet is the vhid for the interface. You should be able to simply configure both firewalls to respond with the virtual MAC for any CARP interfaces. Any ARP clients which ask will receive the same answer. It should not be a problem that both firewalls respond to any arp request since they are serving the same information. - -- David DeSimone == Network Admin == fox@verio.net "It took me fifteen years to discover that I had no talent for writing, but I couldn't give it up because by that time I was too famous. -- Robert Benchley -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFGn8P7FSrKRjX5eCoRAhiaAJ9Wk6xpP72LtevGQ+5/QodTPM42NwCfWjb6 FSAuWEpptwXUUvhq/I2/pWk= =h1bz -----END PGP SIGNATURE-----