[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Please help: Setting up HA Firewall with carp and vlan Interfaces



Hello,
I hope this is not too much a switch related problem (and therefore OT):
I've got a problem with my ha-setup. Running two firewalls that are clustered
(no loadbalancing). Both sides (in- and outgoing) are connected to one switch
(Later there will be two switches).
State table changes are pronounced over pfsync (em0)(crosslink).
Problem is: both firewalls have serveral vlans defined on their outer Interface (fxp0).
Of course both vlans are identical, only difference is the mac address.
Because of that the firewalls allways complain about duplicate ip-addresses:
"duplicate IP address 192.168.90.69 sent from ethernet address
00:10:dc:f1:22:70"
How to solve this?
Do I have to setup a carp interface for every vlan?
But I guess this didn't solve the problem.
At all its working, but this warning messages keep spoiling my logs
and it's definitely not a clean solution.
Some more informations:
uname -a:
OpenBSD bsd_node1.smc-d.de 3.6 GENERIC#0 i386
sysctl net.inet.carp:
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=0
net.inet.carp.arpbalance=0
ifconfig -a:
rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:0a:cd:05:18:e8
        media: Ethernet 100baseTX full-duplex
        status: active
        inet 192.168.90.248 netmask 0xffffffe0 broadcast 192.168.90.255
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:10:dc:f5:b2:0b
        media: Ethernet 1000baseT full-duplex
        status: active
        inet 10.10.10.1 netmask 0xfffffffc broadcast 10.10.10.3
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        address: 00:10:dc:f5:b2:0c
        media: Ethernet 100baseTX full-duplex
        status: active
        inet 5.5.5.5 netmask 0xfffffff8 broadcast 5.5.5.7
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=41<UP,RUNNING> mtu 1348
        pfsync: syncif: em0 maxupd: 128
vlan9: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        address: 00:10:dc:f5:b2:0c
        vlan: 9 parent interface: fxp0
        inet 82.210.20.190 netmask 0xfffffff8 broadcast 82.210.20.191
---snip---
(here several more vlans)
---snip---
carp0: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 1 advbase 1 advskew 0
        inet 192.168.90.249 netmask 0xffffffe0
carp1: flags=41<UP,RUNNING> mtu 1500
        carp: MASTER vhid 2 advbase 1 advskew 0
        inet 5.5.5.6 netmask 0xfffffff8
	
netstat -sp carp:
carp:
        18 packets received (IPv4)
        0 packets received (IPv6)
                0 packets discarded for bad interface
                0 packets shorter than header
                0 discarded for bad checksums
                0 discarded packets with a bad version
                0 discarded because packet too short
                0 discarded for bad authentication
                0 discarded for bad vhid
                0 discarded because of a bad address list
        159542 packets sent (IPv4)
        0 packets sent (IPv6)
Thank you for any hints/replies.
********************************************************************************
Olaf Zenker
Systemmanager SMC Düsseldorf
T-Systems International GmbH
Global Network Factory
Systemmanagement Customer Solutions
Sohnstr.45, 40237 Düsseldorf
+49 211-9148-620 (tel)
+49 211-9148-975 (fax)
E-Mail: [email protected]
Internetseite: http://www.t-systems.com