Date: Sun, 27 Aug 2006 22:34:55 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd@gorlani.net Cc: freebsd-questions@freebsd.org Subject: Re: Understanding CARP Message-ID: <44F20FFF.10306@infracaninophile.co.uk> In-Reply-To: <000d01c6c9ff$89d0e510$4b0cfea9@thebeast> References: <000d01c6c9ff$89d0e510$4b0cfea9@thebeast>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD5633FB85B77B7FF1E8DC9E5 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable freebsd@gorlani.net wrote: > Hi > I'm new to FreeBSD but I'm loving it very much! I'm experimenting with= CARP > to create a redundant router/firewall. > I created a functioning two machine routing cluster and it works very w= ell > while configured for failover. I'm going to test it with load balancing= and > I'm wondering about some problems that could arise. > Suppose I enable load balancing features. > Situation: my cluster (made by CL1 and CL2) routes from Net A to Net B.= I > have an A_client and a B_Server. A_Client initiates a connection to B_S= erver > and the packet is routed by the CL1 machine. > The response packet comes from the B network (it is from B_Server) and = is > taken by CL2 to be routed (asymmetric routing problem, as documented in= the > man page). If no packet filtering occurs, there is no problem. But what= if I > use IPFilter? Is there a way to keep the state between CL1 and CL2 with= > IPFilter?=20 If you're using CARP, then you should combine it with pf(8) rather than IPFilter. CARP was written by the same people that wrote pf. =20 As for keeping state between both halves of a redundant firewall pair, you need pfsync(4) -- generally that takes a dedicated network link betwe= en both sides of the HA pair -- usually just a cross-over cable. pfsync=20 will replicate the state table to the other half of the HA pair, so failo= ver can be made seamless. See http://www.openbsd.org/faq/pf/carp.html=20 You can't actually do any *load balance* with CARP. It's purely a High Availability function. For firewalls it is usually used in Active/Standb= y mode: one of the firewall pair handles all the traffic and the other just= =20 waits to take over if needed. You can make an Active/Active pair by configuring two carp VIFs on the pair and setting the weightings so that each side gets one of the VIFs preferentially when everything is working = OK, but again, there's nothing there to actually *balance* the traffic over t= he two VIFs. Also, as a very reasonably priced machine nowadays will be able to cope with running as a firewall at full 100Mb/s line speed on its= own, it generally doesn't achieve anything other than making the configur= ation a lot more complex. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigD5633FB85B77B7FF1E8DC9E5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE8hAF8Mjk52CukIwRCG5VAJ4qq748mI3YBV1P/T2t09QWnMaZnACfbHl+ 3yJwenBpcvvznXLrnKv47vY= =Q1bp -----END PGP SIGNATURE----- --------------enigD5633FB85B77B7FF1E8DC9E5--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44F20FFF.10306>