Date: Fri, 20 Jul 2007 20:10:48 +0200 From: "Dalibor Gudzic" <dalibor.gudzic@gmail.com> To: freebsd-pf@freebsd.org Subject: Re: Single IP failover without carpdev Message-ID: <866fa9520707201110h37f06912kaad57b0bdf682e7e@mail.gmail.com> In-Reply-To: <20070720173722.GB12522@verio.net> References: <8e10486b0707180621q6a38d018u206ce9ee4fbbe10c@mail.gmail.com> <867iow7rwk.fsf@zid.claresco.hr> <8e10486b0707191950s2ffd4e89q7484181acba745be@mail.gmail.com> <866fa9520707200813s7938bdbdjdfb57c87dd23e268@mail.gmail.com> <20070720173722.GB12522@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Ah, sorry, got lost in tons of messages, didn't see where I was replying to. My apology. On 7/20/07, David DeSimone <fox@verio.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Dalibor Gudzic <dalibor.gudzic@gmail.com> wrote: > > > > http://www.openbsd.org/faq/pf/carp.html > > > > I think You think that one must have two IP addresses to get redundant > > failover firewalls with Carp? > > That is OpenBSD's documentation you are referring to, but this is > FreeBSD we are talking about. The implementation is not the same. > > In order for CARP to be effective, it must send out hello packets on a > particular interface. Under OpenBSD, I believe there is a "carpdev" > option for ifconfig, which allows you to set the interface explicitly. > However, FreeBSD's implementation (at least in 6.x where I'm familiar > with it) is missing that option. Instead, the interface is chosen by > matching the IP address of the carp interface to the same subnet as the > physical interface. > > In a case where your ISP has only assigned a single IP address to you, > you cannot (legally) assign a pair of addresses to your firewalls and > then assign a third IP to CARP in order to have it bind correctly to > the external interface. Under OpenBSD, you could assign private RFC1918 > addresses to the external interfaces, and use "carpdev" to assign a > virtual public IP, but it seems that is not possible with FreeBSD. > > If I am wrong, I hope that someone will correct my understanding. > > - -- > David DeSimone == Network Admin == fox@verio.net > "It took me fifteen years to discover that I had no > talent for writing, but I couldn't give it up because > by that time I was too famous. -- Robert Benchley > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFGoPLSFSrKRjX5eCoRAtUeAJ9H2QPgA3qM2ZxPcXoB5BS1G4c1IwCePeLJ > WNohhKo7LneJi/LordOx6OU= > =I3jk > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?866fa9520707201110h37f06912kaad57b0bdf682e7e>