On Thu, Nov 13, 2008 at 05:51:49PM -0800, Vivek Ayer wrote:
> Yay! I got ssh and http to work on the CARP interface. Thanks.
>
> However, the httpd redirect is not working just yet on the CARP
> interface for one of the computers. Does IP balancing mess up
> redirect?
Well, that depends.
IP balancing computes a commutative hash of the source and destination
IP to decide which node accepts the packet.
If you do a rdr, you modify the destination, thus the hash is
different and the returning packet might end up on another node,
which has no knowledge about the pf-NAT state.
However, if you also NAT the outgoing packet to an address that
belongs to one node only, you'll get the reply.
That of course means that you won't have the client's original IP
address for your apache access logs.
IP balancing is no silver bullet.
I designed as a simple solution to build a cluster of load
balanced servers without the need of a separate load balancer.
A pf pair with no nat/rdr is also easy to build. Translation is hard.
> Here's my current pf.conf:
[...]
> # Basic CARP/pfsync pass rules
> pass on $carpdevs proto carp keep state
this ^^^ is still wrong, btw. But your other rules seem to cover
that traffic already anyway.
