So. I’m done with the very basic PF-rules.

I ran into some problems that it didn’t use the carp0 interface for outgoing connections, but after a while I discovered that this was only the case when trying directly on the gateway-machine itself. Trying the same from the internal nodes, everything works as expected; it NAT’s all the internal connections using the carp0-interface.

I’ve also tested the redundancy; I rebooted gw0/alihlt-carp0 while I was downloading a Debian-image via HTTP on ns0. No interruptions, and gw1/ahihlt-carp1 took over immediately. When gw0/alihlt-carp0 came back online, it took over as master, and still no interruptions.

I’ll be adding strictness and port-forwards at a later time. For now, I’m just glad it works as expected. (-: