Single IP failover without carpdev
Dalibor Gudzic
dalibor.gudzic at gmail.com
Fri Jul 20 18:10:51 UTC 2007
Ah, sorry, got lost in tons of messages, didn't see where I was replying to.
My apology.
On 7/20/07, David DeSimone <fox at verio.net> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dalibor Gudzic <dalibor.gudzic at gmail.com> wrote:
> >
> > http://www.openbsd.org/faq/pf/carp.html
> >
> > I think You think that one must have two IP addresses to get redundant
> > failover firewalls with Carp?
>
> That is OpenBSD's documentation you are referring to, but this is
> FreeBSD we are talking about. The implementation is not the same.
>
> In order for CARP to be effective, it must send out hello packets on a
> particular interface. Under OpenBSD, I believe there is a "carpdev"
> option for ifconfig, which allows you to set the interface explicitly.
> However, FreeBSD's implementation (at least in 6.x where I'm familiar
> with it) is missing that option. Instead, the interface is chosen by
> matching the IP address of the carp interface to the same subnet as the
> physical interface.
>
> In a case where your ISP has only assigned a single IP address to you,
> you cannot (legally) assign a pair of addresses to your firewalls and
> then assign a third IP to CARP in order to have it bind correctly to
> the external interface. Under OpenBSD, you could assign private RFC1918
> addresses to the external interfaces, and use "carpdev" to assign a
> virtual public IP, but it seems that is not possible with FreeBSD.
>
> If I am wrong, I hope that someone will correct my understanding.
>
> - --
> David DeSimone == Network Admin == fox at verio.net
> "It took me fifteen years to discover that I had no
> talent for writing, but I couldn't give it up because
> by that time I was too famous. -- Robert Benchley
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFGoPLSFSrKRjX5eCoRAtUeAJ9H2QPgA3qM2ZxPcXoB5BS1G4c1IwCePeLJ
> WNohhKo7LneJi/LordOx6OU=
> =I3jk
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
More information about the freebsd-pf
mailing list