[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Load balancing/failover
Great news! There has been some interesting movement on the VRRP front.
I have it running at home actually and I am more then willing (and
hopefully able) to test any and all VRRP / HA solutions for firewalls
from the public domain. I got some Dell Celeron 433's from Ye Olde Used
Compooter Shoppe for about 150$ total (with the extra NIC's) and an old
hub to share the DSL modem and a small subnet of live IP's to use on
I'm sure you've seen the HUT project for FreeBSD freevrrpd:
and it has been ported to OpenBSD by Blake Matheny
this is hard to get to compile (you need gmake for it and some other
It was translated to an unofficial OpenBSD port by Chris Kuethe:
I'm using the source port on one gateway and the "port" on another. The
"port" installs easy obviously but you end up with the same thing.
That being said, there are problems. The original porter (Blake
Matheny) ported FreeVRRPD to OpenBSD (and his web site is down ATM) at
version .84. This works great for load balancing and HA for web
servers, etc, but doesn't help if just 1 interface in my 8 legged
firewall fails. Version .85b from the HUT project added the "killer
app" for firewalls: Monitored Circuits! Second, state information is
not maintained when it fails over :(.
So I would think that there's enough out there in the GPL area and
enough work already done so that you wouldn't need to reinvent the
wheel, just take the GPL'ed software already out there and finish the
port / actively work with Sebastien Petit (the developer of FreeVRRPD)
to keep it up to date with OpenBSD.
I see that there are some comments on the patent issue that came in
after this post. This is very highly misunderstood by either me or
them. The heart of the matter was re-hashed 100000000 times with the
OpenSSL thread on misc@. It's pretty much the same type of license:
"Cisco retains the right to assert patent claims against any party and
subsidiary of a party that asserts a patent it owns or controls, either
directly or indirectly, against Cisco or any of its subsidiaries or
successors in title, including the right to claim damages for any prior
use or sale of VRRP by such a party."
1) IANAL :) your mileage may vary, objects in the mirror are closer then
2) The issue is not that Cisco "owns" vrrp as a concept (they don't
actually, they own various other protocols for HA that the open standard
was based on). If Cisco "owned" it, how could it be an open protocol
with the IETF and how could Checkpoint use it flagrantly? Finally, no
one owns "high availability" or "shared IP solutions", since every
vendor (even M$!) has some form or this somewhere in their products.
3) Cisco offered up "their" piece of the "open" protocol for free as
long as you accept their license. This license was not in the best
interest of the OpenBSD project, but it COULD BE IN THE BEST INTEREST of
one or more OpenBSD users that care more about HA then suing CISCO (see
the last link above).
4) The OpenBSD team even had their own port of VRRPD see the first link
in the list above), but wouldn't put it in the code base because it adds
some stealth licenses to OpenBSD. (see the first link from the archives
5) There is nothing stopping people with no intention of litigation with
Cisco from making their own VRRP based on the public open standard, as
long as you promise not to sue Cisco.
6) The OpenBSD team could not distribute VRRP without poisoning the
entire license for this one use, but independently making the software
doesn't hurt anyone except people that are using it. And the "hurt" is
that they lose their ability to sue Cisco.
So as long as it's not in the "core" distro or distributed by the "core"
team, VRRP ports violate no patents and cause no licensing problems for
If I'm wrong, please smacketh me with a clue stick.
> -----Original Message-----
> From: Luca Perugini [mailto:firstname.lastname@example.org]
> Sent: Thursday, October 03, 2002 10:49 AM
> To: email@example.com
> Subject: R: Load balancing/failover
> I'm working on vrrp implementation on OBSD.
> My starting point was Linux vrrp implementation done by
> Jerome Etienne and FreeBSD vrrp. I hope in 2 or 3 weeks to
> have a "running" version of vrrpd for OBSD 3.1
> In the meaning time I send a patch around ifconfig and 'if'
> files to support MAC showing and MAC setting on ethernet card.
> Ing. Luca Perugini o mailto: firstname.lastname@example.org
> Oxys S.r.l. o Mob.: +39 335 7746997
> Via Gaetana Agnesi, 12 o Off.: +39 02 58327300
> 20135 Milano MI (ITALY) o Fax : +39 02 58304654