[EMAIL PROTECTED] wrote: > Hi > I'm new to FreeBSD but I'm loving it very much! I'm experimenting with CARP > to create a redundant router/firewall. > I created a functioning two machine routing cluster and it works very well > while configured for failover. I'm going to test it with load balancing and > I'm wondering about some problems that could arise. > Suppose I enable load balancing features. > Situation: my cluster (made by CL1 and CL2) routes from Net A to Net B. I > have an A_client and a B_Server. A_Client initiates a connection to B_Server > and the packet is routed by the CL1 machine. > The response packet comes from the B network (it is from B_Server) and is > taken by CL2 to be routed (asymmetric routing problem, as documented in the > man page). If no packet filtering occurs, there is no problem. But what if I > use IPFilter? Is there a way to keep the state between CL1 and CL2 with > IPFilter?
If you're using CARP, then you should combine it with pf(8) rather than IPFilter. CARP was written by the same people that wrote pf. As for keeping state between both halves of a redundant firewall pair, you need pfsync(4) -- generally that takes a dedicated network link between both sides of the HA pair -- usually just a cross-over cable. pfsync will replicate the state table to the other half of the HA pair, so failover can be made seamless. See http://www.openbsd.org/faq/pf/carp.html You can't actually do any *load balance* with CARP. It's purely a High Availability function. For firewalls it is usually used in Active/Standby mode: one of the firewall pair handles all the traffic and the other just waits to take over if needed. You can make an Active/Active pair by configuring two carp VIFs on the pair and setting the weightings so that each side gets one of the VIFs preferentially when everything is working OK, but again, there's nothing there to actually *balance* the traffic over the two VIFs. Also, as a very reasonably priced machine nowadays will be able to cope with running as a firewall at full 100Mb/s line speed on its own, it generally doesn't achieve anything other than making the configuration a lot more complex. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
Description: OpenPGP digital signature