Originally Posted by ocicat
Serendipitously, I ran into the following which may be of some help in explaining:
Note that this source states that each CARP member will have a unique address. Which is correct? Re-read the manpage & experiment...
Thank you all for commnets. I made it like
fxp0 --real interface , its config : cat hostname.fxp0 == up
so I just bring up real interface without assign any ip address to it
for carp interface I made
inet real_ip mask broadcast vhid 1 paas PASSWORD carpdev fxp0 advbase 1 advskew 0 state master description " CARP interface on fxp0 to outside network "
same on both firewals FW1 and FW2.
This enabled carp interface to have real ip address which is shared with second firewall.
Rule in pf.conf which enable nat-in to internal network is
nat on $ext_if from !($ext_if) to any -> ($carp_ext)
carp_ext=carp1 ( used macro in pf.conf )
and it works perfectly, firewall failover works super, and I want to say big thank to OpenBSD and CAPR/PF team, and invite all of you out there to support these fantastic projects.