Hi list. I've installed two firewall, 1 master and 1 backup. Trying some
test to see if carp and pfsync works, I get this issue: fw master works,
all network connection works, then I disconnect che external interface
cable of fw1 and carp0 go in INIT, carp1 in BACKUP and carp2 in BACKUP,
on fw 2, carp0, carp1 and carp2 become MASTER. After 5/10 seconds,
always with cable disconnected, the carp0 of firewall 1 is in INIT,
carp1 and carp2 return to MASTER, and on fw2 the carp0 is MASTER and
carp1, carp2 become BACKUP, and each 5/10 seconds fw1: carp0 INIT carp1
MASTER carp2 MASTER, after 5/10 seconds fw1 become carp0 INIT carp1
BACKUP carp2 BACKUP and so on.
Then:
State before cable disconnection
fw1 fw2
carp0: MASTER carp0: BACKUP
carp1: MASTER carp1: BACKUP
carp2: MASTER carp2: BACKUP
State after cable disconnection:
fw1 fw2
carp0: INIT carp0: MASTER
carp1: BACKUP carp1: MASTER
carp2: BACKUP carp2: MASTER
State after 5/10 seconds always with disconnected cable:
fw1 fw2
carp0: INIT carp0: MASTER
carp1: MASTER carp1: BACKUP
carp2: MASTER carp2: BACKUP
after other 5/10 seconds with disconnected cable:
fw1 fw2
carp0: INIT carp0: MASTER
carp1: BACKUP carp1: MASTER
carp2: BACKUP carp2: MASTER
after other 5/10 seconds without cable:
fw1 fw2
carp0: INIT carp0: MASTER
carp1: MASTER carp1: BACKUP
carp2: MASTER carp2: BACKUP
and so on...
these are my pf rules for carp and pfsync:
pass in quick proto pfsync
pass in quick proto carp
....
..
block in all
...
FW1 [MASTER]: net.inet.carp.preempt=1
FW2 [BACKUP]: net.inet.carp.preempt=0 (tried also with 1)
and this are my ifconfig.
IFCONFIG FW1:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
xl0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:10:5a:2e:0f:9e
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.84 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::210:5aff:fe2e:f9e%xl0 prefixlen 64 scopeid 0x1
rl0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:1d:0f:c4:0c:1d
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.1.1.5 netmask 0xffff0000 broadcast 10.1.255.255
inet6 fe80::21d:fff:fec4:c1d%rl0 prefixlen 64 scopeid 0x2
rl1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:1d:0f:c4:17:cb
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 172.16.2.4 netmask 0xffffff00 broadcast 172.16.2.255
inet6 fe80::21d:fff:fec4:17cb%rl1 prefixlen 64 scopeid 0x3
enc0: flags=0<>
priority: 0
groups: enc
status: active
pfsync0: flags=41<UP,RUNNING> mtu 1500
priority: 0
pfsync: syncdev: rl0 maxupd: 128 defer: off
groups: carp pfsync
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
priority: 0
groups: pflog
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: MASTER carpdev xl0 vhid 1 advbase 1 advskew 0 carppeer
192.168.1.85
groups: carp
status: master
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x6
inet 192.168.1.33 netmask 0xffffff00 broadcast 192.168.1.255
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:02
priority: 0
carp: MASTER carpdev rl0 vhid 2 advbase 1 advskew 0 carppeer 10.1.1.6
groups: carp
status: master
inet 10.1.1.1 netmask 0xffff0000 broadcast 10.1.255.255
inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x7
carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:03
priority: 0
carp: MASTER carpdev rl1 vhid 3 advbase 1 advskew 0 carppeer 172.16.2.5
groups: carp
status: master
inet 172.16.2.1 netmask 0xffffff00 broadcast 172.16.2.255
inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0x8
IFCONFIG FW2:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33200
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
xl0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:50:04:50:fe:c3
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.85 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::250:4ff:fe50:fec3%xl0 prefixlen 64 scopeid 0x1
rl0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:1d:0f:c4:3f:8e
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 10.1.1.6 netmask 0xffff0000 broadcast 10.1.255.255
inet6 fe80::21d:fff:fec4:3f8e%rl0 prefixlen 64 scopeid 0x2
rl1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:13:46:28:7f:db
priority: 0
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 172.16.2.5 netmask 0xffffff00 broadcast 172.16.2.255
inet6 fe80::213:46ff:fe28:7fdb%rl1 prefixlen 64 scopeid 0x3
enc0: flags=0<>
priority: 0
groups: enc
status: active
pfsync0: flags=41<UP,RUNNING> mtu 1500
priority: 0
pfsync: syncdev: rl0 maxupd: 128 defer: off
groups: carp pfsync
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33200
priority: 0
groups: pflog
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: BACKUP carpdev xl0 vhid 1 advbase 1 advskew 100 carppeer
192.168.1.84
groups: carp
status: backup
inet 192.168.1.33 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x6
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:02
priority: 0
carp: BACKUP carpdev rl0 vhid 2 advbase 1 advskew 100 carppeer 10.1.1.5
groups: carp
status: backup
inet 10.1.1.1 netmask 0xffff0000 broadcast 10.1.255.255
inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0x7
carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:03
priority: 0
carp: BACKUP carpdev rl1 vhid 3 advbase 1 advskew 100 carppeer
172.16.2.4
groups: carp
status: backup
inet 172.16.2.1 netmask 0xffffff00 broadcast 172.16.1.255
inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0x8
I don't understand why carp0 carp1 and carp2 switch every 5/10 sec
between master and backup.....some issue?
thanks in advance
