Hi folks !
I actually trying to set up a failover firewall using carp and pfsync
and I have some troubles to make it work.
Both fw use OpenBSD 4.0/i386
+----| WAN/Internet |----+
| | |
| switch100Mb/s |
| | |
fxp0| carp0 |fxp0
+-----+ +-----+
| fw1 |-vr1------------------vr1-| fw2 |
+-----+ +-----+
vr0| carp1 |vr0
| | |
| switch100Mb/s |
| | |
--+-------Shared LAN----------+---
ISSUE:
To test the failover between both fw I tried to shutdown iface carp0
then iface carp1 on the master during a download from LAN using FTP:
-step 1: ifconfig carp0 down on fw1, fw2.carp0 become master and
download still goes on.
-step 2: ifconfig carp1 down on fw1, fw2.carp1 become master but download abort.
As both carp interfaces are configured exactly the same way i dont
understand why the test works in one case and not in the other.
CONFIG:
fw1:
pf.conf:
scrub in all
nat on fxp0 from !(fxp0) to any -> (fxp0)
pass quick on vr0 proto pfsync
pass quick on { fxp0 , vr1 } proto carp
pass all keep state
hostname.fxp0:
inet 172.17.200.1 255.255.0.0 172.17.255.255
hostname.vr0:
inet 10.0.0.1 255.0.0.0 10.255.255.255
hostname.vr1:
inet 172.16.0.1 255.255.0.0 172.16.255.255
hostname.carp0:
inet 172.17.200.3 255.255.0.0 172.17.255.255 vhid 1 pass root carpdev fxp0
hostname.carp1:
inet 10.0.0.3 255.0.0.0 10.255.255.255 vhid 2 pass toor carpdev vr0
hostname.pfsync0:
syncdev vr1 syncpeer 172.16.0.2 up
ifconfig:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff000000
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:08:c7:0f:5a:19
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::208:c7ff:fe0f:5a19%fxp0 prefixlen 64 scopeid 0x1
inet 172.17.200.1 netmask 0xffff0000 broadcast 172.17.255.255
vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:05:5d:5f:f1:64
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::205:5dff:fe5f:f164%vr0 prefixlen 64 scopeid 0x2
inet 10.0.0.1 netmask 0xff000000 broadcast 10.255.255.255
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:05:5d:5f:ef:a2
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::205:5dff:fe5f:efa2%vr1 prefixlen 64 scopeid 0x3
inet 172.16.0.1 netmask 0xffff0000 broadcast 172.16.255.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=41<UP,RUNNING> mtu 1460
pfsync: syncdev: vr1 syncpeer: 172.16.0.2 maxupd: 128
groups: carp
enc0: flags=0<> mtu 1536
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
carp: MASTER carpdev fxp0 vhid 1 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x8
inet 172.17.200.3 netmask 0xffff0000 broadcast 172.17.255.255
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:02
carp: MASTER carpdev vr0 vhid 2 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x9
inet 10.0.0.3 netmask 0xff000000 broadcast 10.255.255.255
fw2:
pf.conf:
(same as fw1)
hostname.fxp0:
inet 172.17.200.2 255.255.0.0 172.17.255.255
hostname.vr0:
inet 10.0.0.2 255.0.0.0 10.255.255.255
hostname.vr1:
inet 172.16.0.2 255.255.0.0 172.16.255.255
hostname.carp0:
inet 172.20.200.3 255.255.0.0 172.20.255.255 vhid 1 pass root carpdev
fxp0 advskew 100
hostname.carp1:
inet 10.0.0.3 255.0.0.0 10.255.255.255 vhid 2 pass toor carpdev vr0 advskew 150
hostname.pfsync0:
syncdev vr1 syncpeer 172.16.0.1 up
ifconfig:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet 127.0.0.1 netmask 0xff000000
fxp0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:50:8b:90:4c:70
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::250:8bff:fe90:4c70%fxp0 prefixlen 64 scopeid 0x1
inet 172.17.200.2 netmask 0xffff0000 broadcast 172.17.255.255
vr0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:05:5d:5f:f1:31
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::205:5dff:fe5f:f131%vr0 prefixlen 64 scopeid 0x2
inet 10.0.0.2 netmask 0xff000000 broadcast 10.255.255.255
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:05:5d:5f:f7:88
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet6 fe80::205:5dff:fe5f:f788%vr1 prefixlen 64 scopeid 0x3
inet 172.16.0.2 netmask 0xffff0000 broadcast 172.16.255.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=41<UP,RUNNING> mtu 1460
pfsync: syncdev: vr1 syncpeer: 172.16.0.1 maxupd: 128
groups: carp
enc0: flags=0<> mtu 1536
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
carp: BACKUP carpdev fxp0 vhid 1 advbase 1 advskew 100
groups: carp egress
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x8
inet 172.17.200.3 netmask 0xffff0000 broadcast 172.17.255.255
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:02
carp: BACKUP carpdev vr0 vhid 2 advbase 1 advskew 240
groups: carp
inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x9
inet 10.0.0.3 netmask 0xff000000 broadcast 10.255.255.255
sysctl net.inet.carp:( on both fw )
net.inet.carp.allow=1
net.inet.carp.preempt=1
net.inet.carp.log=1
net.inet.carp.arpbalance=0
Let me know if you need more information.
Any help is appreciated , thanks a lot .
dmesg: (Both firewall use the same hardware)
OpenBSD 4.0 (GENERIC) #1107: Sat Sep 16 19:15:58 MDT 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel Pentium II ("GenuineIntel" 686-class, 512KB L2 cache) 398 MHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR
real mem = 133787648 (130652K)
avail mem = 114647040 (111960K)
using 1658 buffers containing 6791168 bytes (6632K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(e4) BIOS, date 06/30/98, BIOS32 rev. 0 @
0xec700, SMBIOS rev. 2.1 @ 0xf1146 (48 entries)
bios0: Compaq Deskpro EN Series SFF
pcibios0 at bios0: rev 2.1 @ 0xec700/0x3900
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf7440/112 (5 entries)
pcibios0: PCI Interrupt Router at 000:20:0 ("Intel 82371AB PIIX4 ISA" rev 0x00)
pcibios0: PCI bus #1 is the last bus
bios0: ROM list: 0xc0000/0x8000 0xe0000/0x8000!
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82443BX AGP" rev 0x03
ppb0 at pci0 dev 1 function 0 "Intel 82443BX AGP" rev 0x03
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "ATI Rage Pro" rev 0x5c
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
fxp0 at pci0 dev 10 function 0 "Intel 8255x" rev 0x05, i82558: irq 11,
address 00:08:c7:0f:5a:19
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 0
vr0 at pci0 dev 13 function 0 "VIA VT6105 RhineIII" rev 0x86: irq 11,
address 00:05:5d:5f:f1:64
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI
0x004063, model 0x0034
vr1 at pci0 dev 14 function 0 "VIA VT6105 RhineIII" rev 0x86: irq 11,
address 00:05:5d:5f:ef:a2
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 4: OUI
0x004063, model 0x0034
pcib0 at pci0 dev 20 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
pciide0 at pci0 dev 20 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <FUJITSU MPC3064AT>
wd0: 16-sector PIO, LBA, 6149MB, 12594960 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <COMPAQ, CD-224E, 9.0A> SCSI0 5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
uhci0 at pci0 dev 20 function 2 "Intel 82371AB USB" rev 0x01: irq 11
usb0 at uhci0: USB revision 1.0
uhub0 at usb0
uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
uhub0: 2 ports with 2 removable, self powered
piixpm0 at pci0 dev 20 function 3 "Intel 82371AB Power" rev 0x02: SMI
iic0 at piixpm0
"unknown" at iic0 addr 0x18 not configured
admtemp0 at iic0 addr 0x4c: adm1021
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
sb0 at isa0 port 0x220/24 irq 5 drq 1: dsp v3.01
midi0 at sb0: <SB MIDI UART>
audio0 at sb0
opl0 at sb0: model OPL3
midi1 at opl0: <SB Yamaha OPL3>
pcppi0 at isa0 port 0x61
midi2 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
biomask ff45 netmask ff45 ttymask ffc7
pctr: 686-class user-level performance counters enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
carp: pfsync0 demoted group carp to 129
carp: pfsync0 demoted group carp to 0
carp: pfsync0 demoted group carp to 1
carp: pfsync0 demoted group carp to 0
--
There's this old saying: "Give a man a fish, feed him for a day. Teach
a man to fish, feed him for life."
