Re: CARP and transit network to ISP
On Oct 1, 2012, at 7:42 PM, Henning Brauer lists-open...@bsws.de wrote: that is some time ago? Yes, it was. We were probably still running 4.3 (or so) when we made the change to having the ISP hand everything off to a single address. Jason -- Jason Healy|jhe...@logn.net| http://www.logn.net/
Re: CARP and transit network to ISP
* Jason Healy jhe...@logn.net [2012-08-22 03:37]: We used to have a direct handoff (ISP router was on the same subnet as our IP range) and we explicitly requested a transit network. We were using CARP aliases for the /23 that we had, and it was affecting performance. that is some time ago? From my understanding, each alias is a virtual interface, no. and interfaces are searched in linear order when matching for firewall rules. err... oversimplifying. there are multiple point where the number of addresses (interfaces less so) matter. one surprisingly expensive point was the is the packet destined for the local machine decision. that used to be pretty expensive, but I optimized that some time ago and it should be pretty cheap and foremost close to constant right now. the pf side is another topic, but should not be expensive either. By changing to a /30 transit and doing away with the aliases, performance on the OpenBSD box improved substantially. We now have CARP answer for our end of the /30, so it just answers for one address. All other routing/NAT/firewalling is done using PF and static routes, and the performance there is much better. again, it matters a lot when (i. e. what release) you did that. things changed. I don't remember the exact release, but roughly 2 years ago. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: CARP and transit network to ISP
On Aug 22, 2012, at 3:52 AM, Tobias Crefeld wrote: Not sure, if I understand you right: Did you move the /23 on another ethernet interface when establishing the transit network (/30) ? No, we replaced it. We use NAT for all of our public IP addresses, so we didn't have to reassign anything; the NAT section of the PF ruleset continued to handle everything. The CARP interface used to have all of the /23 assigned as aliases, but now it just has the endpoint of the /30 assigned and our ISP routes all traffic for the /23 to that interface as its next hop. To make that more concrete, here is what our interfaces used to look like (numbers changed to protect the guilty): = begin hostname.carp2 = up vhid 3 pass Redacted carpdev vlan1234 advskew 0 description CARP: WAN # 192.168.0.1 reserved by ISP for router address inet alias 192.168.0.2 255.255.255.255 inet alias 192.168.0.3 255.255.255.255 inet alias 192.168.0.4 255.255.255.255 # ... 0.5 - 0.255 and 1.0 - 1.253 omitted for brevity inet alias 192.168.1.254 255.255.255.255 == end hostname.carp2 == The ISP claimed the lowest address (.1) for their router and we aliased the remaining addresses in the /23. After the changeover, the CARP device looked like this: = begin hostname.carp2 = inet 10.0.0.2 255.255.255.252 10.0.0.1 vhid 3 pass Redacted carpdev vlan1234 advskew 0 description CARP: WAN == end hostname.carp2 == 10.0.0.0/30 is the new transit network, with the ISP claiming the smallest address (.1) and us getting the largest (.2). The ISP now routes our 192.168.0.0/23 to 10.0.0.2 as the next-hop. Our box NATs the /23 to our internal LAN. Jason -- Jason Healy|jhe...@logn.net| http://www.logn.net/
Re: CARP and transit network to ISP
Am Tue, 21 Aug 2012 21:28:27 -0400 schrieb Jason Healy jhe...@logn.net: By changing to a /30 transit and doing away with the aliases, performance on the OpenBSD box improved substantially. Not sure, if I understand you right: Did you move the /23 on another ethernet interface when establishing the transit network (/30) ? RU, Tobias.
Re: CARP and transit network to ISP
On Aug 17, 2012, at 10:39 AM, Tobias Crefeld wrote: Any idea how to deal with this issue? Or should we try to discuss with the ISP to leave out this transit network? We used to have a direct handoff (ISP router was on the same subnet as our IP range) and we explicitly requested a transit network. We were using CARP aliases for the /23 that we had, and it was affecting performance. From my understanding, each alias is a virtual interface, and interfaces are searched in linear order when matching for firewall rules. By changing to a /30 transit and doing away with the aliases, performance on the OpenBSD box improved substantially. We now have CARP answer for our end of the /30, so it just answers for one address. All other routing/NAT/firewalling is done using PF and static routes, and the performance there is much better. Jason -- Jason Healy|jhe...@logn.net| http://www.logn.net/
Re: CARP and transit network to ISP
On 2012-08-17, Tobias Crefeld t...@cataneo.eu wrote: Can anyone give me a hint how to setup a pair of CARPed firewall machines to access an ISP via an direct ethernet link (fiber). He assigned us a customer network ( /29) and a transit network ( /30) to connect our (customer) network with his backbone without extra router machine. Sounds like you already know how to do this:- All (active) addresses of the customer network should become aliases of the CARP-interface (firewall is using NAT and proxies). So put all active addresses as aliases of the CARP interface.
CARP and transit network to ISP
Can anyone give me a hint how to setup a pair of CARPed firewall machines to access an ISP via an direct ethernet link (fiber). He assigned us a customer network ( /29) and a transit network ( /30) to connect our (customer) network with his backbone without extra router machine. All (active) addresses of the customer network should become aliases of the CARP-interface (firewall is using NAT and proxies). This setup is running fine on some of our sites but there we always have a direct access to the backbone - without transit network. I understand that these transit networks are usually used in access networks to insert a router machine between customer network and the backbone but in this case we'd like to avoid this extra SPOF. Any idea how to deal with this issue? Or should we try to discuss with the ISP to leave out this transit network? TIA, Tobias.
Re: CARP and transit network to ISP
I have set up a pair of gateways for a similar scenario where the provider gave me /30 and an ethernet jack instead of providing a router on-premises. This is what I did: -Configured an interface on each machine to come up with no IP. -Configured a carpdev to use the no IP interface on each machine. -Configured my ip from the /30 on the carpdev on each machine. Other things included CARP on other interfaces like LAN and DMZ. In my case those IP networks were large enough to allow me 1 CARP IP and an IP for each gateway. Not sure if that helps, but the best general advice is to draw a picture of what you want. Read the FAQ/manpages to draft a config. Test all that, and if you are like me, realize you didn't really want bridge at the one place in the drawing and revise--repeat. Good luck!
