From owner-freebsd-net@FreeBSD.ORG Thu Jan 1 11:20:07 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 630F2F4B for ; Thu, 1 Jan 2015 11:20:07 +0000 (UTC) Received: from mail14.tpgi.com.au (smtp-out14.tpgi.com.au [220.244.226.124]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.tpg.com.au", Issuer "RapidSSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E64C62D06 for ; Thu, 1 Jan 2015 11:20:05 +0000 (UTC) X-TPG-Junk-Status: Message not scanned X-TPG-Antivirus: Passed X-TPG-Abuse: host=[202.161.115.54]; ip=202.161.115.54; date=Thu, 1 Jan 2015 22:03:12 +1100 Received: from fish.ish.com.au (202-161-115-54.static.tpgi.com.au [202.161.115.54] (may be forged)) by mail14.tpgi.com.au (envelope-from ari@ish.com.au) (8.14.3/8.14.3) with ESMTP id t01B3Ama021091 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 1 Jan 2015 22:03:12 +1100 Received: from ip-211.ish.com.au ([203.29.62.211]:60342 helo=ish.com.au) by fish.ish.com.au with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1Y6dWx-0006p9-2j for freebsd-net@freebsd.org; Thu, 01 Jan 2015 22:03:04 +1100 Received: from [10.242.2.6] (HELO Aristedess-MacBook-Pro.local) by ish.com.au (CommuniGate Pro SMTP 6.1c1) with ESMTPS id 17945681 for freebsd-net@freebsd.org; Thu, 01 Jan 2015 22:03:03 +1100 Message-ID: <54A52966.9040407@ish.com.au> Date: Thu, 01 Jan 2015 22:03:02 +1100 From: Aristedes Maniatis User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Thunderbird/34.0 MIME-Version: 1.0 To: freebsd-net@freebsd.org Subject: CARP vhid: across interfaces? Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Jan 2015 11:20:07 -0000 I have two firewalls built with FreeBSD 10.1 which are working nicely. Upstream I have two internet links, one going into each firewall. An IP address is shared between the two firewalls using CARP. Internally, we have another address shared between the firewalls, and set as the default gateway for all devices behind. So far, pretty simple. My question that isn't answered in the FreeBSD handbook is what to do with the vhid. If one of the external interfaces goes down I want everything to fail over to the secondary firewall. But that means the internal and external interfaces should fail over together. Should I be doing that by using a single vhid for all interfaces (does that bind them together to failover?), or by writing a script to detect the failover and then bring down the other interface? Thanks Ari -- --------------------------> Aristedes Maniatis ish http://www.ish.com.au Level 1, 30 Wilson Street Newtown 2042 Australia phone +61 2 9550 5001 fax +61 2 9550 4001 GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A