Re: pf/carp for redundant production use

Hi guys,

I got pf and carp working together. However, I have noticed that TCP oriented application doesn't get recover well when I disconnect a cable. I setup a netcat listener on a machine inside the network. Then I ran netcat from another machine outside the network. I was able to connect and was able to send some characters. However, when I disconnected the primary firewall's external interface, netcat won't work anymore until I execute netcat again that connects to the shared external ip address.

Am I missing any configuration? Looks like it's related to pf state tables not being sent to the backup firewall.

Please help.



Neil writes:

Hi guys,

I'm very new to carp. I used openbsd and pf about 2 yrs so I have forgotten it too. Anyways, I just finished building 2 machines with 3 nics on each machine. I got CARP working as well but have some questions.

Here is my configuration:

/* FW1:
external interface: fxp1 =>
internal interface: xl0 =>
pfsync interface fxp0 =>

carp0: inet carpdev xl0 vhid 1 pass lanpasswd
carp1: inet carpdev fxp1 vhid 2 pass netpasswd
pfsync0: up syncif fxp0

/* FW2:
external interface: ne3 =>
internal interface: rl0 =>
pfsync interface fxp0 =>

carp0: inet carpdev rl0 vhid 1 pass lanpasswd advskew 128
carp1: inet carpdev ne3 vhid 2 pass netpasswd advskew 128
pfsync0: up syncif fxp0

LAN shared IP:
WAN/Internet shared IP:

+--------| 192.168.1.x |--------+
| |
fxp1| |ne3
+-----+ +-----+
| fw1 |-fxp0---10.10.10.x---fxp0-| fw2 |
+-----+ +-----+
xl0| |rl0
| |
---+--------| 172.16.x.x |--------+---

1. Let say we want to do some NAT using CARP/PF setup:

web server public:
web server NAT: ip)

mailserver public:
mailserver NAT: ip)

a. How will I configure CARP?
b. How will I configure the pf.conf on both firewalls? An example will really help me a lot.
c. Do I also have to create an alias interface for the 2 machine's external interface?

2. Can someone please send me a pf.conf that can be used in production environment?

3. Am I correct that my internal mailserver's and webserver's gateway should point to

4. What if the interface where our pfsync is configured goes bad or cable gets disconnected, what happens?

5. Other than this setup, are there anything that I can add to make it much more reliable?

Thanks in advance!