On 2011-09-05, Mathieu Blanc <mathieu.bl...@smile.fr> wrote:
>>> So the ingoing traffic goes into bsd1, and the servers now use bsd2 to
>>> go out.
>>
>>> Is it not a problem ? In terms of firewalling for example (keep state ?
>>> will bsd2 authorize the trafic which is initiated by bsd1 ? maybe with
>>> the help of pfsync ??)
>>
>> pfsync(4) can handle this if you use 'defer', see the pfsync manpage,
>> but this is normally only desirable for load-balancing.
>
> I read the manpage, and it seems to match exactly with what i want to do :
> "Where more than one firewall might actively handle packets, e.g. with
> certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial to
> defer transmission of the initial packet of a connection. The pfsync
> state insert message is sent immediately; the packet is queued until
> either this message is acknowledged by another system, or a timeout has
> expired."
This is for load-sharing between 2 firewalls, you don't want it for a
typical setup with 1 active and 1 passive firewall as it delays things
> If I take my previous example :
> Network A [interconnection with others routers] = 192.168.1.0/24
> (configured on em0, and carp0)
presumably you are announcing the networks behind bsd1/bsd2 over
ospf to your other routers; so I don't think carp0 is useful.
> Network B [network with servers] = 172.16.1.0/24 (configured on em1, and
> carp1, used by servers for default gateway)
> em2 is for pfsync.
> The ospfd.conf is very simple.
>
> bsd1# ifconfig -A
>
> em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
> inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
> em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
> inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
> em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> inet 172.16.99.1 netmask 0xfffffffc broadcast 172.16.99.3
> pfsync0: flags=41<UP,RUNNING> mtu 1500
> pfsync: syncdev: em2 syncpeer: 172.16.99.2 maxupd: 128 defer: off
> carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> carp: MASTER carpdev em0 vhid 170 advbase 1 advskew 80
> inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> carp: MASTER carpdev em1 vhid 171 advbase 1 advskew 120
> inet 172.16.1.100 netmask 0xffffff00 broadcast 172.16.1.255
>
> bsd1# cat /etc/ospfd.conf
> area 0.0.0.0 {
> interface em0
> interface em1
> interface carp0 { passive }
> interface carp1 { passive }
> }
I would:-
remove "interface carp0 { passive }" from ospfd.conf
remove "interface em1" from ospfd.conf
ospfctl reload
ifconfig carp0 destroy
rm /etc/hostname.carp0
