Stanislav Sedov wrote: > On Mon, 20 Apr 2009 14:21:10 +0200 > Sebastiaan van Erk <[email protected]> mentioned:
I think once I have pfsync the problem will go away due to the synchronized state (the backups won't block anymore), but it still seems strange to me that all 3 machines will then be actively filtering the packets...Does anybody know what's going on?I'd suggest to look first why all of them're receiving this traffic. It looks like something is not right in the network itself.
After reading about CARP some more, I think that's the expected behavior: --- http://www.openbsd.org/faq/faq6.html#CARP ---How it works: CARP is a multicast protocol. It groups several physical computers together under one or more virtual addresses. Of these, one system is the master and responds to all packets destined for the group, the other systems act as hot spares.
--- http://www.openbsd.org/faq/faq6.html#CARP ---Since I don't have pfsync enabled yet the other two machines don't have the propper state and will drop the connection. Normally this would only pollute the log, but on the internal networks I don't want connections to hang for long periods so I do "block return". This causes pf to respond to the traffic since it doesn't know anything about the machine being a carp backup, and thus the originating host receives a RST and drops the connection.
I'm wondering if the combination block return + carp is going to work at all, even with pfsync... I will do some more research on that.
Regards, Sebastiaan
smime.p7s
Description: S/MIME Cryptographic Signature
