I have been following with interest the developments with regard to
dhcpd gaining spamd-like synchronisation features. I would like to be
able to make use of these features if I can. However, I have a question:
Currently, I have a pair of CARP firewalls in a failover configuration.
We have carp on vlan on physical, plugged in to a trunk port on a Cisco
Catalyst. The default gateway for each internal subnet (of which there
are quite a few) is an IP on a CARP interface. On the two subnets where
we use DHCP however, I have had to allocate non-CARP IPs, ie IPs on
vlanXX rather than carpXX, because the CARP interface didn't seem to be
seeing the 255.255.255.255 packets sent out by dhclients.
It bears mention that I set things up this way some years ago now, when
I was learning OpenBSD for the first time. If I've cocked it up, I'd
love someone to put me right.
My question is, is it possible to have my two firewalls both running
dhcpd, syncing leases between them, listening on the carp interfaces, or
do I have to stick with my current config where I have a non-carp IP so
that dhcpd can see the requests? I don't mind if this is the case, but
it seems daft to lose 3 IPs per subnet (CARPd gateway IP, dhcp for
firewall A, dhcp for firewall B) rather than 1 if I can do it all on the
carp interface.
Ta all,
Dave Wilson
PS: I apologise if this post is overly verbose, but after seeing so many
posts saying there's not enough information, I'm trying to not leave
anything out.
