From owner-freebsd-net@FreeBSD.ORG Fri Jan 28 08:14:22 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D26CF106564A for ; Fri, 28 Jan 2011 08:14:22 +0000 (UTC) (envelope-from mike.barnardq@gmail.com) Received: from mail-gw0-f54.google.com (mail-gw0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 9122F8FC16 for ; Fri, 28 Jan 2011 08:14:22 +0000 (UTC) Received: by gwj21 with SMTP id 21so1045019gwj.13 for ; Fri, 28 Jan 2011 00:14:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=+CVxeTuUuBB+eUYjS5Tctbv1aDVHELN9LUl797X1zFQ=; b=Js3/9GUEitrTQj701QQcmRDD4+3lnFOqhNregcKf0lhUfSmnI03gKO8hG3CUoUZe2p ZQ2EvouTi13+eAw5ZofgPF0pdj8pCHRyQ5P3XcHicDYkeBWH00YNp1/KyoguelXLyTBq Ve07SH7Rf0704Tl6rB3qQ/bLpx014JV1T3/Uk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=E1gBDoJJeZXo7dkX6L77Ja89hgswbxe0+CHTtDMoIWK9uckiTN5VhxUPuE+5fhEh4/ +3Q3aKwVP7jsM7jCAVxNYiQq0foCzfN4uzjVG0tAGqx0/B8eLXWyCsQclOC25Trspuiy kUMxpGDZ5oeOPomKNtXPCSCtSnMEc73LFjV44= MIME-Version: 1.0 Received: by 10.100.252.20 with SMTP id z20mr1320772anh.104.1296200590213; Thu, 27 Jan 2011 23:43:10 -0800 (PST) Received: by 10.100.134.12 with HTTP; Thu, 27 Jan 2011 23:43:10 -0800 (PST) Date: Fri, 28 Jan 2011 10:43:10 +0300 Message-ID: From: Mike Barnard To: freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: CARP Failover X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jan 2011 08:14:23 -0000 Hi, I have two firewalls, FW1 and FW2. Each server has three interfaces, bce0, bce1 and bce2 and of course the carp interfaces. FW1: bce0: 41.xxx.yyy.244/29 bce1: 172.19.254.14/30 bce2: 41.xxx.yyy.252/29 carp0: 41.202.229.243 carp1: 41.202.229.251 FW2: bce0: 41.xxx.yyy.245/29 bce1: 172.19.254.15/30 bce2: 41.xxx.yyy.253/29 carp0: 41.202.229.243 carp1: 41.202.229.251 FW1 is connected to SW1 and FW2 is connected to SW2. Both SW1 and SW2 connected to the aggregating switch. I have configured CARP in failover mode and the interesting thing is both firewall carp interfaces come up as master: FW1: carp0: flags=49 metric 0 mtu 1500 inet 41.xxx.yyy.243 netmask 0xfffffff8 carp: MASTER vhid 1 advbase 1 advskew 1 carp1: flags=49 metric 0 mtu 1500 inet 41.xxx.yyy.251 netmask 0xfffffff8 carp: MASTER vhid 2 advbase 1 advskew 1 FW2: carp0: flags=49 metric 0 mtu 1500 inet 41.xxx.yyy.243 netmask 0xfffffff8 carp: MASTER vhid 1 advbase 1 advskew 100 carp1: flags=49 metric 0 mtu 1500 inet 41.xxx.yyy.251 netmask 0xfffffff8 carp: MASTER vhid 2 advbase 1 advskew 100 The pfsync0 interfaces on both are configured thus: FW1: pfsync0: flags=41 metric 0 mtu 1460 pfsync: syncdev: bce1 syncpeer: 172.19.254.15 maxupd: 128 FW2: pfsync0: flags=41 metric 0 mtu 1460 pfsync: syncdev: bce1 syncpeer: 172.19.254.14 maxupd: 128 my sysctl variables on both firewalls are set thus: net.inet.carp.allow=1 # Allow the firewall to accept CARP packets net.inet.carp.preempt=1 # Allow firewalls to failover when one goes down net.inet.ip.forwarding=1 # Allow packet forwarding through the firewalls Am I missing something, mis-configured something or somehow missed something out? Thanks. -- Mike Of course, you might discount this possibility, but remember that one in a million chances happen 99% of the time. ------------------------------------------------------------