Le 03/09/2011 12:35, Stuart Henderson a icrit :
On 2011-09-02, Mathieu BLANC<mathieu.bl...@smile.fr> wrote:
I setup this, *and it seems to work well.*
Routers in network A see 2 routes to Network B : bsd1 and bsd2.
For example :
First route : bsd1
Second route : bsd2
bsd1 is the master carp on network B.
So the ingoing traffic goest to bsd1, and the servers in B use their
gateway -> bsd1.
But if i do (manually) a carpdemote on bsd1, the the carp master will
switch to bsd2, but on the ospf side, the route will remain the same on
the routers in A.
So the ingoing traffic goes into bsd1, and the servers now use bsd2 to
go out.
Is it not a problem ? In terms of firewalling for example (keep state ?
will bsd2 authorize the trafic which is initiated by bsd1 ? maybe with
the help of pfsync ??)
pfsync(4) can handle this if you use 'defer', see the pfsync manpage,
but this is normally only desirable for load-balancing.
I read the manpage, and it seems to match exactly with what i want to do :
"Where more than one firewall might actively handle packets, e.g. with
certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial to
defer transmission of the initial packet of a connection. The pfsync
state insert message is sent immediately; the packet is queued until
either this message is acknowledged by another system, or a timeout has
expired."
In the situation you describe, the network A should send all of
network B's traffic to whichever machine is currently carp master.
For this setup you need to:-
1. have the subnet (not a /32) configured on the carpXX interface
2. use 'interface carpXX { passive }' in ospfd.conf
If this doesn't help, please show ospfd.conf files and 'ifconfig -A'
output.
I'm not sure to understand, sorry.
Here is my test conf (exactly the same than in prod, but with private
network).
If I take my previous example :
Network A [interconnection with others routers] = 192.168.1.0/24
(configured on em0, and carp0)
Network B [network with servers] = 172.16.1.0/24 (configured on em1, and
carp1, used by servers for default gateway)
em2 is for pfsync.
The ospfd.conf is very simple.
bsd1# ifconfig -A
em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:1b:21:b3:c7:18
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
mtu 1500
lladdr 00:1b:21:b3:c7:19
priority: 0
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:1b:21:b3:c7:1c
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 172.16.99.1 netmask 0xfffffffc broadcast 172.16.99.3
pfsync0: flags=41<UP,RUNNING> mtu 1500
priority: 0
pfsync: syncdev: em2 syncpeer: 172.16.99.2 maxupd: 128 defer: off
groups: carp pfsync
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:aa
priority: 0
carp: MASTER carpdev em0 vhid 170 advbase 1 advskew 80
groups: carp
status: master
inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:ab
priority: 0
carp: MASTER carpdev em1 vhid 171 advbase 1 advskew 120
groups: carp
status: master
inet 172.16.1.100 netmask 0xffffff00 broadcast 172.16.1.255
bsd1# cat /etc/ospfd.conf
area 0.0.0.0 {
interface em0
interface em1
interface carp0 { passive }
interface carp1 { passive }
}
bsd2 is exactly the same (with different ip address on em0/em1/em2 and
backup carp).
This setup works quite well (i see 2 routes to 172.16.1.0/24 network in
my others routers : via bsd1 and bsd2). What i wanted to do is to have
just one route to 192.168.1.100. But I don't know if it's possible.
If not, i'll destroy the carp0 interface, and use defer in pfsync.
Thanks by advance :-)
Mathieu.
