Bryant Zimmerman schreef op 8-1-2015 om 17:22: > ------------------------------------------------------------------------ > *From*: "Seth Mos" <[email protected]> > *Sent*: Thursday, January 8, 2015 11:02 AM > *To*: [email protected] > *Subject*: Re: [pfSense] 4 Byte ASN > > Jim Thompson schreef op 8-1-2015 om 16:52: >>> On Jan 8, 2015, at 9:23 AM, Seth Mos <[email protected]> wrote: >>> >>> You do not want to use CARP with with BGP in any situation. Each node >>> needs it's own session with the remote BGP peer. You need to use iBGP >>> between the nodes instead. >> >> We run a pair of c2758s behind each link and CARP between these, announcing >> the routes out via BGP. (Technically this occurs on a different pair (R200) >> boxes that play the role of router (one per link). > > To clarify this a bit better. You speak BGP to your ISP from each > pfSense node and generally use CARP as the router address on the > internal side. > > You still need to exchange routes between both pfSense nodes. > > The moment CARP fails over you drop your BGP session anyhow, so both > pfSense nodes need the routing tables (Unless you use default only). > > Regards, > > Seth > > > What my current design is. 3 Routers in a CARP stack at each location. > A single fiber link. We have a fiber vlan between the locations. > I was thinking of BGP announcing from the CARP stack in the event of a > router failure the next unit in line should take on the load for the > firewall and BGP. We don't want to drop existing connection if possible. > Now I know if a connection goes down hard we may drop while it switches > over to the alternate site. I just don't want to drop due to an internal > router failure. > > Am I approaching this the wrong way?
You will drop the BGP session because only one pfSense node will have a connected session from the openbgpd. A virtual IP is nice, but that only applies for traffic traveling through the firewall, not a process running *ON* the firewall. Depending if you do default, customer only or full routing, both pfSense nodes need the same routing table. Since openbgpd takes care of inserting routes into the routing table, this needs to happen on both nodes. If you bind openbgpd to the CARP address, node B will setup a new session on failover, exchange routes, install routes during which time you will drop traffic with destination unreachable. Hopefully the remote peer has soft-reconfiguration inbound. Cheers, Seth _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
