Hi all,

I have an question regarding CARP on OpenBSD.

I have an public address, let say 1.1.1.1/24 --real ip address and I would like to build an redundant par of firewalls.

FW1: ext_if
int_if
sync_if
carp1
carp2


FW2: ext_if
int_if
sync_if
carp1
carp2

I am just wondering if I assing to ext_if=1.1.1.1 ( on both FWs ), what has to be ip address on carp1 on both firewalls ( could it be 1.1.1.2 --as it is virtual ).
Part related to virtual addresses/interfaces is confusing to me, if there is someone who understand this, could you please write what it could be ip assignment for above case where I have an public ip address=1.1.1.1

Thank you in advance

Nice regards,

No, each external interface will be configured with the same address. Study Section 6.11 of the official FAQ for more discussion:

http://openbsd.org/faq/faq6.html#CARP

Serendipitously, I ran into the following which may be of some help in explaining:

http://openbsd-wiki.org/index.php?ti...nt_caching-DNS

Note that this source states that each CARP member will have a unique address. Which is correct? Re-read the manpage & experiment...

Thank you all for commnets. I made it like

fxp0 --real interface , its config : cat hostname.fxp0 == up

so I just bring up real interface without assign any ip address to it

for carp interface I made

hostname.carp1
inet real_ip mask broadcast vhid 1 paas PASSWORD carpdev fxp0 advbase 1 advskew 0 state master description " CARP interface on fxp0 to outside network "

same on both firewals FW1 and FW2.

This enabled carp interface to have real ip address which is shared with second firewall.

Rule in pf.conf which enable nat-in to internal network is

nat on $ext_if from !($ext_if) to any -> ($carp_ext)

carp_ext=carp1 ( used macro in pf.conf )

and it works perfectly, firewall failover works super, and I want to say big thank to OpenBSD and CAPR/PF team, and invite all of you out there to support these fantastic projects.

Kind regards,