[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: stalled connections between pf servers

On Sep 26, 2005, at 7:19 PM, Steve Witucke wrote:

What happens when you make one router the master of both carp groups? I
would assume that the issue mentioned above with pinging 20.1 and 30.1
goes away. Does your traffic stalling issue also go away?

If I, for example, set 20.1 down (ifconfig carp3 down on hobbes) and the other
interface (30.1 on hobbes) is already in backup, then yes, my traffic problem
goes away because all the traffic is now being routed through one box (calvin).

fyi -- I setup a two node HA firewall using obsd/pf/pfsync/carp in a lab environment. Each fw has 3 physical interfaces and 2 carp interfaces, one for untrusted and one for trusted. I noticed in my testing that if I 'ifconfig carp0 down' on the master firewall which was master for both carp interfaces at the time, that the backup firewall does _not_ take over for both carp interfaces. Rather each firewall has a master and backup carp interface, in other words my firewall is now dead, from a packet routing perspective. Since neither physical firewall has a full path, each has half of the path, one can get to the outside and one can get to the inside. :(

This makes sense to me. Since the carp interfaces are virtual they should never fail, while the physical interfaces they are associated with could/may fail. If I take down the physical interface associated with a carp interface, then both (or I guess rather all) carp interfaces on that box fail to the next available host. I'm also using net.inet.carp.preempt=1 which is required so that all carp interfaces on a given physical host fail (advskew = 240) when one carp interface "fails", i.e. the physical interface associated with it fails.

Hope this helps, Chad