CARP interface on the DMZ - BSD

This is a discussion on CARP interface on the DMZ - BSD ; Dear newsgroup, I am currently implementing CARP for firewall redundancy on two OpenBSD 4.1 boxes. The scenario is quite standard: one interface is on the DMZ with public IP address, one interface is on the LAN with private IP addresses ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: CARP interface on the DMZ

  1. CARP interface on the DMZ

    Dear newsgroup,

    I am currently implementing CARP for firewall redundancy on two OpenBSD
    4.1 boxes. The scenario is quite standard: one interface is on the DMZ
    with public IP address, one interface is on the LAN with private IP
    addresses and the third interface is for pfsync with a crossover cable.

    My question is about the DMZ interface, we have a whole class C assigned
    and are using pretty much all IP addreses and I reserved the following
    for CARP:

    xxx.xxx.xxx.254 -> the first firewall
    xxx.xxx.xxx.253 -> the second firewall
    xxx.xxx.xxx.2 -> the carp IP address used for the carp device

    The current configuration of the external DMZ is the following:

    inet xxx.xxx.xxx.254 255.255.255.0 NONE
    inet alias xxx.xxx.xxx.3 255.255.255.255
    inet alias xxx.xxx.xxx.4 255.255.255.255
    inet alias xxx.xxx.xxx.5 255.255.255.255
    inet alias xxx.xxx.xxx.6 255.255.255.255
    and so on up to xxx.xxx.xxx.253

    How should I now define my carp DMZ interface with all these IP addresses ?

    And how can I define the DMZ interface of the second firewall with all
    these IP addresses ? I was thinking that they will collide because both
    firewalls will have all the IP addresses defined on their external DMZ
    interface...

    Many thanks in advance for your help

    Best regards

  2. Re: CARP interface on the DMZ

    http://www.kernel-panic.it/openbsd/carp/

    Regards,
    TomazZ

    On 2 sep., 17:43, synNOSPAMuw wrote:
    > Dear newsgroup,
    >
    > I am currently implementing CARP for firewall redundancy on two OpenBSD
    > 4.1 boxes. The scenario is quite standard: one interface is on the DMZ
    > with public IP address, one interface is on the LAN with private IP
    > addresses and the third interface is for pfsync with a crossover cable.
    >
    > My question is about the DMZ interface, we have a whole class C assigned
    > and are using pretty much all IP addreses and I reserved the following
    > for CARP:
    >
    > xxx.xxx.xxx.254 -> the first firewall
    > xxx.xxx.xxx.253 -> the second firewall
    > xxx.xxx.xxx.2 -> the carp IP address used for the carp device
    >
    > The current configuration of the external DMZ is the following:
    >
    > inet xxx.xxx.xxx.254 255.255.255.0 NONE
    > inet alias xxx.xxx.xxx.3 255.255.255.255
    > inet alias xxx.xxx.xxx.4 255.255.255.255
    > inet alias xxx.xxx.xxx.5 255.255.255.255
    > inet alias xxx.xxx.xxx.6 255.255.255.255
    > and so on up to xxx.xxx.xxx.253
    >
    > How should I now define my carp DMZ interface with all these IP addresses ?
    >
    > And how can I define the DMZ interface of the second firewall with all
    > these IP addresses ? I was thinking that they will collide because both
    > firewalls will have all the IP addresses defined on their external DMZ
    > interface...
    >
    > Many thanks in advance for your help
    >
    > Best regards




  3. Re: CARP interface on the DMZ

    Thanks for the link but I already went through all these cases also the
    OpenBSD FAQ but there are no such cases as mine using IP aliases on DMZ
    interface with public IP addresses.

    Any one else ??

    Cheers


    TomazZ schrieb:
    > http://www.kernel-panic.it/openbsd/carp/
    >
    > Regards,
    > TomazZ
    >
    > On 2 sep., 17:43, synNOSPAMuw wrote:
    >> Dear newsgroup,
    >>
    >> I am currently implementing CARP for firewall redundancy on two OpenBSD
    >> 4.1 boxes. The scenario is quite standard: one interface is on the DMZ
    >> with public IP address, one interface is on the LAN with private IP
    >> addresses and the third interface is for pfsync with a crossover cable.
    >>
    >> My question is about the DMZ interface, we have a whole class C assigned
    >> and are using pretty much all IP addreses and I reserved the following
    >> for CARP:
    >>
    >> xxx.xxx.xxx.254 -> the first firewall
    >> xxx.xxx.xxx.253 -> the second firewall
    >> xxx.xxx.xxx.2 -> the carp IP address used for the carp device
    >>
    >> The current configuration of the external DMZ is the following:
    >>
    >> inet xxx.xxx.xxx.254 255.255.255.0 NONE
    >> inet alias xxx.xxx.xxx.3 255.255.255.255
    >> inet alias xxx.xxx.xxx.4 255.255.255.255
    >> inet alias xxx.xxx.xxx.5 255.255.255.255
    >> inet alias xxx.xxx.xxx.6 255.255.255.255
    >> and so on up to xxx.xxx.xxx.253
    >>
    >> How should I now define my carp DMZ interface with all these IP addresses ?
    >>
    >> And how can I define the DMZ interface of the second firewall with all
    >> these IP addresses ? I was thinking that they will collide because both
    >> firewalls will have all the IP addresses defined on their external DMZ
    >> interface...
    >>
    >> Many thanks in advance for your help
    >>
    >> Best regards

    >
    >


  4. Re: CARP interface on the DMZ

    Hi


    > > On 2 sep., 17:43, synNOSPAMuw wrote:
    > >> Dear newsgroup,

    [...]
    > >> inet xxx.xxx.xxx.254 255.255.255.0 NONE
    > >> inet alias xxx.xxx.xxx.3 255.255.255.255
    > >> inet alias xxx.xxx.xxx.4 255.255.255.255
    > >> inet alias xxx.xxx.xxx.5 255.255.255.255
    > >> inet alias xxx.xxx.xxx.6 255.255.255.255
    > >> and so on up to xxx.xxx.xxx.253
    > >>
    > >> How should I now define my carp DMZ interface with all these IP

    addresses ?
    > >>
    > >> And how can I define the DMZ interface of the second firewall with

    all
    > >> these IP addresses ? I was thinking that they will collide because

    both
    > >> firewalls will have all the IP addresses defined on their external

    DMZ
    > >> interface...


    > Any one else ??


    You can have many addresses on carp interface. Just move them to
    hostname.carpx

    P.


  5. Re: CARP interface on the DMZ



    piotr::kapczuk schrieb:
    > You can have many addresses on carp interface. Just move them to
    > hostname.carpx


    Thanks, that's what I wanted to hear ;-)

+ Reply to Thread