On Mon, Jan 2, 2023 at 5:14 PM Nick Holland <[email protected]>
wrote:
> hiya.
>
> Goal: home (i.e., DHCP external network config) redundant
> firewalls with CARP and PFSYNC.
>
>
Totally doable. I've been running it like that for the last 7 years at
home.
My ISP doesn't like it when the two firewalls have different mac-addresses,
so I have to do some spoofing on the slave machine.
ifstated is your very good friend here. My /etc/hostname.$extif is empty.
CARP is only in use for the internal interface.
This if my ifstated.conf on mster:
carp_up = "carp0.link.up"
carp_down = "!carp0.link.up"
carp_init = "carp0.link.unknown"
init-state auto
state auto {
if ($carp_up)
set-state fw_master
if !($carp_up)
set-state fw_slave
}
state fw_master {
init {
run "route -qn flush"
run "ifconfig em2 inet autoconf"
run "pfctl -f /etc/pf.conf"
}
if ($carp_down)
set-state fw_slave
if ($carp_init)
run "sleep 2"
}
state fw_slave {
init {
run "ifconfig em2 -inet"
run "route -qn flush"
run "route add default 192.168.0.3"
}
if ($carp_up)
set-state fw_master
}
