Hi, > On 23 Jun 2015, at 10:50, Aviolat Romain <romain.avio...@nagra.com> wrote: > > Hi Andy, > > Thanks for your detailed answer. > > Yes we are doing statefull firewalling and we want to keep it like that, we of course plan to have servers that are able to take the full load in case of failure of the other. > > We dont have yet requirements to go higher than the actual 1Mpps limit (around 500Mbit/s for standard web traffic), but we would be pleased to have MP supported on the Network stack !
Their is no hardcoded limit, it is purely down to the single core CPU performance and packet size that dictates the achievable throughput. We would have enabled only one core if it were't for the fact that we're running so many daemons too. OpenBSD is pretty sensible when it comes to scheduling user land stuff and so daemons rarely get in the way of your PF busy core. > > Ill follow your advice and stay in active-backup mode for now. Doesn't mean you should't try active-active out (in a lab).. But if you're only talking 500mbps, stick with steady and stable ;) > > Romain > > From: Andy Lemin [mailto:a...@brandwatch.com] > Sent: mardi 23 juin 2015 11:25 > To: Romain FABBRI > Cc: Aviolat Romain; 'misc@openbsd.org' (misc@openbsd.org) > Subject: Re: HA / load balancing / fail-over using CARP > > Hi, You can already do active-active CARP with OpenBSD. I believe it hashes by the MAC address (the MAC hash dictates which firewall responds to an ARP for the gateway IP). > > However you may have issues with states and state synchronisation depending on the pps and firewall hardware performance, meaning you might be forced to enable "sloppy" states, or at the very least enable "defer" on pfsync. But allowing sloppy states is bad as it throws away a significant proportion of OpenBSD's awesome TCP security. > > In short, it is *much* better to buy hardware where each firewall on its own is able to handle the full load, and run in active-backup mode. > Generally speaking, I've always found the layer 2 high availability provided by CARP to be rock solid, and if you want to do full stateful firewalling, this is your only sensible choice. > > If you have no need for full statefull firewalling then you can do active-active at layer 3 using OSPF etc for the HA, and enable defer and sloppy and your all done. > It depends on what network feeds you are connected to and what your requirements are. > > http://www.openbsd.org/papers/pfsync_v5.pdf <http://www.openbsd.org/papers/pfsync_v5.pdf> > > NB; We run Transtec servers with are just custom built Supermicro servers with a 3.5GHz E5-2609v2 CPU (with only two cores enabled and Turbo Plus enabled giving us two 3.7GHz cores). > The highest I have seen these do with 10gig NICs is almost 1Mpps with PF enabled. > > So their is little excuse for people to complain about OpenBSD PF performance unless you are talking about higher than 10gig networking. > > But with all the work the devs are doing at the moment freeing up parts of the kernel from the BIG LOCK (http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/ <http://quigon.bsws.de/papers/2015/asiabsdcon-openbsdupdate/>), it won't be much longer before the Network stack goes MP too (it is happening but its not trivial). After which discussions on throughput and performance really do become a moot point, and instead we'll start seeing big enterprises start using OpenBSD and pushing for things like an Openflow agent ;) > > So in short, stay active-backup, and sleep better :) > > Hope this helps. > Cheers, Andy. > > Just for fun; https://events.yandex.com/events/ruBSD/2013/talks/104/ <https://events.yandex.com/events/ruBSD/2013/talks/104/> > > > > On 22 Jun 2015, at 09:08, Romain FABBRI <romain.fab...@alienconsulting.net <mailto:romain.fab...@alienconsulting.net>> wrote: > > Not sure you really want to do that but you could achieve some IP or MAC Load Balancing using this kind of setup : http://www.kernel-panic.it/openbsd/carp/carp4.html <http://www.kernel-panic.it/openbsd/carp/carp4.html> > > -----Message d'origine----- > De : owner-m...@openbsd.org <mailto:owner-m...@openbsd.org> [mailto:owner-m...@openbsd.org <mailto:owner-m...@openbsd.org>] De la part de Aviolat Romain > Envoyé : lundi 22 juin 2015 09:40 > À : 'misc@openbsd.org <mailto:misc@openbsd.org>' (misc@openbsd.org <mailto:misc@openbsd.org>) > Objet : HA / load balancing / fail-over using CARP > > Dear OpenBSD community, > > I'll deploy a new redundant firewalls setup in few weeks (waiting for the hardware...). It'll be composed of two 1U supermicro servers and few additional 10GbE nics. > > The idea was to use CARP + pfsync as the fail-over mechanism. > > I already deployed that few time in the past, and we're pretty happy with this setup; maintenance is easy and the setup is rock solid. > > The only disadvantage IMHO is that there is no way to achieve load balancing between the members of the CARP cluster, one machine is always working while the other is idle. I could define some VLANs on top of CARP interfaces to be MASTER on routerA and some on routerB but still it's not real load balancing. > > So before making the same setup again I wanted to have your input about that, maybe I'm not aware of other ways to achieve HA/load-balancing using OpenBSD ? > > Thanks for your help ! > > Romain Aviolat > Senior System Administrator - R&D and ops Infrastructure Kudelski Security - Kudelski Group rte de Genève 22-24, 1033 Cheseaux, SWITZERLAND > +41 21 732 03 79
