On Fri, 12 Oct 2018 11:56:28 +0200 Marko Cupać <marko.cu...@mimar.rs> wrote:
> After introducing carppeer option I see incoming traffic on physical > interfaces of both MASTER and BACKUP firewalls, as opposed to the > situation without carppeer option, where I see incoming traffic on > physical interface of MASTER only. I hope I'm making some progress. I have set static non-multicast lladdr to my CARP interfaces (I have 3 of them - to ISP1, to ISP2 and to DMZ) for starters. I am also monitoring mac address table on a switch which connects my firewalls to above networks. Failing over with carpdemote results in clean failover, and switch mac address table shows both physical and CARP lladdrs on ports that connect to current MASTER, and only physical lladdrs on ports that connect to current BACKUP. However, rebooting BACKUP results (in my opinion) in strange situation, where switch's mac address table shows only MASTER's physical lladdrs, while CARP lladdrs go missing. When BACKUP comes back, lladdr of one of three CARP interfaces of MASTER appear immediately in switch's mac address table (DMZ), while the other two don't - respective switch ports show only physical lladdrs. Then, after a few minutes, another CARP lladdr shows up in switch's mac address table (ISP1), but the third one (ISP2) continues to show physical lladdr only, which results in incoming traffic on physical interfaces that connect to ISP2 of both CARP members. The situation seems to be self healing when designated BACKUP (higher advskew) takes the role of MASTER by increasing carpdemote on designated MASTER (lower advskew), and designated MASTER (currently BACKUP) reboots, at the moment when designated MASTER takes over MASTER role. But when designated BACKUP gets restarted, switching roles does not happen, MASTER stays MASTER, and switch's mac address table never updates port with CARP lladdr for ISP2. I am aware this is quite complex issue, presumably not related to OpenBSD itself but maybe to the switch (ATGS900MX). Still, I'd be very thankful for any advice on the matter. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
