Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 28 Jan 2011 10:43:10 +0300
From:      Mike Barnard <mike.barnardq@gmail.com>
To:        freebsd-net@freebsd.org
Subject:   CARP Failover
Message-ID:  <AANLkTinCZ3iihu-9rSFniihW-94m2Pf%2BhFyJ%2BL5q72vM@mail.gmail.com>
next in thread | raw e-mail | index | archive | help 
Hi,

I have two firewalls, FW1 and FW2. Each server has three interfaces, bce0,
bce1 and bce2 and of course the carp interfaces.

FW1:
bce0: 41.xxx.yyy.244/29
bce1: 172.19.254.14/30
bce2: 41.xxx.yyy.252/29
carp0: 41.202.229.243
carp1: 41.202.229.251

FW2:
bce0: 41.xxx.yyy.245/29
bce1: 172.19.254.15/30
bce2: 41.xxx.yyy.253/29
carp0: 41.202.229.243
carp1: 41.202.229.251

FW1 is connected to SW1 and FW2 is connected to SW2. Both SW1 and SW2
connected to the aggregating switch.


I have configured CARP in failover mode and the interesting thing is both
firewall carp interfaces come up as master:

FW1:
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 41.xxx.yyy.243 netmask 0xfffffff8
        carp: MASTER vhid 1 advbase 1 advskew 1
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 41.xxx.yyy.251 netmask 0xfffffff8
        carp: MASTER vhid 2 advbase 1 advskew 1

FW2:
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 41.xxx.yyy.243 netmask 0xfffffff8
        carp: MASTER vhid 1 advbase 1 advskew 100
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 41.xxx.yyy.251 netmask 0xfffffff8
        carp: MASTER vhid 2 advbase 1 advskew 100

The pfsync0 interfaces on both are configured thus:

FW1:
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
        pfsync: syncdev: bce1 syncpeer: 172.19.254.15 maxupd: 128

FW2:
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
        pfsync: syncdev: bce1 syncpeer: 172.19.254.14 maxupd: 128


my sysctl variables on both firewalls are set thus:

net.inet.carp.allow=1           # Allow the firewall to accept CARP packets
net.inet.carp.preempt=1         # Allow firewalls to failover when one goes
down
net.inet.ip.forwarding=1        # Allow packet forwarding through the
firewalls


Am I missing something, mis-configured something or somehow missed something
out?

Thanks.


-- 
Mike

Of course, you might discount this possibility, but remember that one in
a million chances happen 99% of the time.
------------------------------------------------------------

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTinCZ3iihu-9rSFniihW-94m2Pf%2BhFyJ%2BL5q72vM>