Hey Felipe,
On Fri, Dec 05, 2008 at 11:51:05AM +0100, Felipe Alfaro Solana wrote:
| Hi misc,
|
| I've been thinking about this for a while but can't seem to figure out
| a proper solution. Perhaps you have seen an scenario like this before
| and have ideas on how to tackle it.
|
| I have two OpenBSD 4.4 boxes configured in active/backup CARP,
| connected to an ADSL router. I want to reconfigure the ADSL router an
| turn it into a bridge. This way, my public IP address will move from
| the ADSL router into the CARP interface and will be shared by both
| OpenBSD machines. The ADSL router has a built-in hub where both
| OpenBSD machines are plugged into.
Some years ago, I did exactly this. Configured a ADSL modem for
rfc1483 mode (which my ISP supported) and had two machines behind it
for routing (NATting) my local network out.
| While the machine whose CARP interface is in ACTIVE won't have
| problems sending and processing traffic, the OpenBSD machine whose
| CARP interface is in BACKUP will. The machine whose CARP interface is
| in BACKUP will be able to send traffic to the Internet from its public
| IP address, but will not be able to process any response, for example
| to contact a NTP server: the UDP response from the NTP server will
| arrive at both OpenBSD machines (since both are sharing the public IP
| address), but the machine whose CARP interface is BACKUP will likely
| ignore the NTP response. For TCP is also very similar.
I did this before we had openntpd and didn't run "that other" ntpd on
my machines. Internet access was only available when the machine was
CARP master. I think there's two solutions here, both of which have
issues. First solution (only solves the ntp issue), configure your
CARP'ed routers to use an ntpd on your local network (which gets its
time via the same set of CARP'ed routers). The other option is to get
more public IP's from your ISP. This makes your routers accessible
from the internet.
Downsides are that the first solution requires an extra machine and
the second solution is probably difficult with most ISPs.
| I have no idea how to deploy an scenario like this, while allowing the
| machine whose CARP interface is in BACKUP to access the Internet. A
| workaround is having the machine whose CARP interface is in BACKUP
| have a default route installed pointing to the machine whose CARP
| interface is ACTIVE. The problem is the setup is more complex and
| requires a way of dynamically adjusting the default route. A possible
| solution is using ifstated(8). Is it possible to use OSPF instead?
I don't really like that solution. My suggestion would be to try and
minimize the amount of traffic the machines need to send to the
internet (preferably to 0). Maybe use IPv6 (if your ISP does native
v6 on the link) when you can't work around this.
Cheers ;)
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
