Re: CARP on firewalls connected to ISP and OpenBGPd

Fri, 13 Jan 2006 12:16:06 -0800 

> i'm building network as it is drawn on pic http://devnet.pl/~pck/network.jpg
> .
>
> with isp1 and isp2 i have to set up BGP (i've got public AS) and i'm
> thinking to use openbgpd for this.
>
> to connect to ISP1 i have 1.1.1.4/30.   .4/30 is IP for my router, .3/30 is
> for ISP1 router.
> to connect to ISP2 i have 2.2.2.4/30.   .4/30 is IP for my router, .3/30 is
> for ISP2 router.
>
> for DMZ i've got public IPs /24, for example: 3.3.3.0/24.
>
> FW3 and FW4 are exactly the same machines, they've got 4 ethernets, for
> example:
> e0: 1.1.1.4/30 (ISP1)
> e1: 2.2.2.4/30 (ISP2)
> e2: 3.3.3.1/24 (ISP3)
> e3: for pfsync between FW3 and FW4
>
> i want to set CARP on ISPs and DMZ side. is it possible? I have only one IP
> for connecting to ISP, so can i set 192.168.0.1/24 and 192.168.0.2/24 on e0
> and then make hostname.carp0 with ip address 1.1.1.4/30?  and something like
> this on ISP2 side.

I had the exact problem in a client network recently including wanting
to do load balancing of the protected web servers. After trying a
variety of different configs (and wanting to keep things simple by
avoiding doing any added routing), I finally ended up having the ISP
hand me the network as a /24 (instead of as a /24 via a segmented /30)
with my .1 of the /24 being held on *their* router as my gateway.
Easy.

I imagine there is some way to do this, and while perhaps the way we
ended up doing things wasn't as pretty, it ultimately led us to
accomplish the goal: getting the network running with failover.

> and second question is how can i resolve problem like this:
> i've got two machines in dmz (on public ip) which do the same (ie.: web
> servers):
> 3.3.3.40
> 3.3.3.41
>
> and one of them dies, so redirect all traffic two the second machine. should
> i do it with rdr rule? like:
> rdr on $ext_e0 proto tcp from any to 3.3.3.40 port 80 -> 3.3.3.41 port 80
> rdr on $ext_e1 proto tcp from any to 3.3.3.40 port 80 -> 3.3.3.41 port 80
>
> or something else?
We use carp in master/slave mode and round-robin to accomplish this as such:

table <rr_ext>   persist file "/etc/tables/rr_ext"
table <rr_int>   persist file "/etc/tables/rr_int"

rdr on $ext_if inet proto tcp from any     to <rr_ext>    port 80     -> \
        <rr_int> round-robin

...we then setup one external CARP group for the public www IPs and a
second internal CARP group for the private www server IPs.

Works like a charm.


Best,
Kevin




--
http://www.ebiinc.com: Background Screening from EBI
Leaders in background checks for employers worldwide.

Reply via email to