[EMAIL PROTECTED] wrote:
> Hi
>  I'm new to FreeBSD but I'm loving it very much! I'm experimenting with CARP
> to create a redundant router/firewall.
> I created a functioning two machine routing cluster and it works very well
> while configured for failover. I'm going to test it with load balancing and
> I'm wondering about some problems that could arise.
> Suppose I enable load balancing features.
> Situation: my cluster (made by CL1 and CL2) routes from Net A to Net B. I
> have an A_client and a B_Server. A_Client initiates a connection to B_Server
> and the packet is routed by the CL1 machine.
> The response packet comes from the B network (it is from B_Server) and is
> taken by CL2 to be routed (asymmetric routing problem, as documented in the
> man page). If no packet filtering occurs, there is no problem. But what if I
> use IPFilter? Is there a way to keep the state between CL1 and CL2 with
> IPFilter? 

If you're using CARP, then you should combine it with pf(8) rather than
IPFilter.  CARP was written by the same people that wrote pf.  

As for keeping state between both halves of a redundant firewall pair,
you need pfsync(4) -- generally that takes a dedicated network link between
both sides of the HA pair -- usually just a cross-over cable.  pfsync 
will replicate the state table to the other half of the HA pair, so failover
can be made seamless. See http://www.openbsd.org/faq/pf/carp.html 

You can't actually do any *load balance* with CARP.  It's purely a High
Availability function.  For firewalls it is usually used in Active/Standby
mode: one of the firewall pair handles all the traffic and the other just 
waits to take over if needed.  You can make an Active/Active pair by
configuring two carp VIFs on the pair and setting the weightings so that
each side gets one of the VIFs preferentially when everything is working OK,
but again, there's nothing there to actually *balance* the traffic over the
two VIFs.  Also, as a very reasonably priced machine nowadays will be
able to cope with running as a firewall at full 100Mb/s line speed on its
own, it generally doesn't achieve anything other than making the configuration a
lot more complex.

        Cheers,

        Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey         Ramsgate
                                                      Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to