Re: carppeer question

[Marko Cupać]

On Fri, 12 Oct 2018 17:31:41 +0200
Marko Cupać  wrote:

> On Fri, 12 Oct 2018 11:56:28 +0200
> Marko Cupać  wrote:
> 
> > After introducing carppeer option I see incoming traffic on physical
> > interfaces of both MASTER and BACKUP firewalls, as opposed to the
> > situation without carppeer option, where I see incoming traffic on
> > physical interface of MASTER only.  
> 
> 
> I am aware this is quite complex issue, presumably not related to
> OpenBSD itself but maybe to the switch (ATGS900MX). Still, I'd be very
> thankful for any advice on the matter.

The issue was apparently caused by default spanning-tree configuration
of the switch. Once I've configured switch ports as "edgeports", by
means of 'spanning-tree portfast', mac address table on switch updates
instantly.

Thanks to everyone for standing by while I was figuring this out :)
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/

Re: carppeer question

[Marko Cupać]

On Fri, 12 Oct 2018 11:56:28 +0200
Marko Cupać  wrote:

> After introducing carppeer option I see incoming traffic on physical
> interfaces of both MASTER and BACKUP firewalls, as opposed to the
> situation without carppeer option, where I see incoming traffic on
> physical interface of MASTER only.

I hope I'm making some progress. I have set static non-multicast lladdr
to my CARP interfaces (I have 3 of them - to ISP1, to ISP2 and to
DMZ) for starters. I am also monitoring mac address table on a switch
which connects my firewalls to above networks.

Failing over with carpdemote results in clean failover, and switch mac
address table shows both physical and CARP lladdrs on ports that
connect to current MASTER, and only physical lladdrs on ports that
connect to current BACKUP.

However, rebooting BACKUP results (in my opinion) in strange situation,
where switch's mac address table shows only MASTER's physical lladdrs,
while CARP lladdrs go missing. When BACKUP comes back, lladdr of one of
three CARP interfaces of MASTER appear immediately in switch's mac
address table (DMZ), while the other two don't - respective switch
ports show only physical lladdrs. Then, after a few minutes, another
CARP lladdr shows up in switch's mac address table (ISP1), but
the third one (ISP2) continues to show physical lladdr only, which
results in incoming traffic on physical interfaces that connect to
ISP2 of both CARP members.

The situation seems to be self healing when designated BACKUP
(higher advskew) takes the role of MASTER by increasing carpdemote on
designated MASTER (lower advskew), and designated MASTER (currently
BACKUP) reboots, at the moment when designated MASTER takes over MASTER
role.

But when designated BACKUP gets restarted, switching roles does not
happen, MASTER stays MASTER, and switch's mac address table never
updates port with CARP lladdr for ISP2.

I am aware this is quite complex issue, presumably not related to
OpenBSD itself but maybe to the switch (ATGS900MX). Still, I'd be very
thankful for any advice on the matter.

Regards,
-- 
Before enlightenment - chop wood, draw water.
After  enlightenment - chop wood, draw water.

Marko Cupać
https://www.mimar.rs/