pf and proxy arp
David DeSimone
fox at verio.net
Thu Jul 19 20:05:24 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tom Uffner <tom at uffner.com> wrote:
>
> on redundant CARP firewalls where it is not obvious how the shell can
> determine the shared MAC address of carpN and presumably only the the
> box with the fastest heartbeat should be proxying unless it goes down.
The MAC used for CARP interfaces is 00:00:5e:00:01:<vhid>, where the
last octet is the vhid for the interface.
You should be able to simply configure both firewalls to respond with
the virtual MAC for any CARP interfaces. Any ARP clients which ask will
receive the same answer. It should not be a problem that both firewalls
respond to any arp request since they are serving the same information.
- --
David DeSimone == Network Admin == fox at verio.net
"It took me fifteen years to discover that I had no
talent for writing, but I couldn't give it up because
by that time I was too famous. -- Robert Benchley
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFGn8P7FSrKRjX5eCoRAhiaAJ9Wk6xpP72LtevGQ+5/QodTPM42NwCfWjb6
FSAuWEpptwXUUvhq/I2/pWk=
=h1bz
-----END PGP SIGNATURE-----
More information about the freebsd-pf
mailing list