On 2010-11-18, Jan Johansson <[email protected]> wrote: > Jeff Ross <[email protected]> wrote: >> What can one then use for the IP addresses for the $ext_if of >> the firewalls? > > For connection testing. With only one IP assigned to the CARP > interface. When it is in BACKUP state you do not have an address > on the network and as such you can't check connectivity from the > BACKUP host. > > For me with 25 vlans on production firewalls this is vital. For a > home network where IPs cost extra I would not care.
Also useful when you want to connect out externally from whichever firewall isn't master. (e.g. dns lookups, ntp, fixing problems from remote locations...)
