Tried to play a bit with this setup?
Like, shutting down fw1 and see what happens?
Ping from client-side and tcpdump on both machines???
NO?! You should.
//mxb
On 15 okt 2012, at 11:33, Indunil Jayasooriya <induni...@gmail.com> wrote:
> Hi list,
>
>
> I configured CARP - Active/Active. ( Things work )
>
> I have an question, When Both are Active/Active, Both should work
> simultaneously by balancing traffic.
>
> Am I right ?
>
>
> But, ifconfig on fw1 says, *status: master * and ifconfig on fw2 says,
> *status: backup
>
>
> Pls see the output of both fw1 and fw2
> *
>
> *on fw1*
>
> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:01
> priority: 0
> carp: carpdev em0 advbase 1 balancing ip
> * state MASTER vhid 1 advskew 0
> state BACKUP vhid 2 advskew 100*
> groups: carp
> * status: master*
> inet6 fe80::a00:27ff:fe05:3294%carp1 prefixlen 64 scopeid 0x7
> inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
>
>
> *on fw2
> *
> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:01
> priority: 0
> carp: carpdev em0 advbase 1 balancing ip
> *state BACKUP vhid 1 advskew 100
> state MASTER vhid 2 advskew 0*
> groups: carp
> *status: backup*
> inet6 fe80::a00:27ff:fe14:3690%carp1 prefixlen 64 scopeid 0x7
> inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
>
>
> Why is that?
>
>
> When* status is master and backup* , Do these 2 nodes ( fw1 and fw2 ) work
> simultaneously by balancing traffic? and one node goes down, all 100%
> traffic go via running node?
>
> That's What I want to achieve.
>
>
> Pls let me know.
>
>
> Here's the HOW TO, I performed.
>
>
> CARP - Active/Active configuration ( CARP, pfsync, PF and relayd )
>
>
>
> ------ ------
> | fw1 |-em1----------em1-| fw2 |
> +-----+ +-----+
> em0| |em0
> | |
> ---+-------Shared LAN-------+---
>
>
>
>
> fw1
>
> em0 - 192.168.0.10
>
> em1 - 192.168.9.67 ( for pfsync )
>
> fw2
>
> em0 - 192.168.0.11
>
> em1 - 192.168.9.68 ( for pfsync )
>
>
> carp1 - LAN shared IP: 192.168.0.100
>
>
>
> on fw1
>
>
> #
> hostname
>
> fw1.example.com
>
> # cat /etc/hostname.em0
> inet 192.168.0.10 255.255.255.0
>
> # cat /etc/hostname.em1
> inet 192.168.9.67 255.255.255.0
>
>
> on fw2
>
> #
> hostname
>
> fw2.example.com
>
> # cat /etc/hostname.em0
> inet 192.168.0.11 255.255.255.0
>
> # cat /etc/hostname.em1
> inet 192.168.9.68 255.255.255.0
>
>
>
> net.inet.ip.forwarding=1 in /etc/sysctl.conf on both fw1 and fw2 with
> below command
>
> sysctl -w net.inet.ip.forwarding=1
>
>
> Edit net.inet.ip.forwarding=1 in /etc/sysctl.conf file in this way
>
> # less /etc/sysctl.conf |grep net.inet.ip.forwarding=1
> net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4
> packets
>
>
>
> Configure fw1:
>
> ! enable preemption and group interface failover
> # sysctl -w net.inet.carp.preempt=1
>
>
> Uncomment net.inet.carp.preempt=1 in /etc/sysctl.conf in this way
>
> # less /etc/sysctl.conf |grep net.inet.carp.preempt=1
> net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
>
>
>
> ! configure pfsync
> # ifconfig em1 192.168.9.67 netmask 255.255.255.0
> # ifconfig pfsync0 syncdev em1
> # ifconfig pfsync0 up
>
> ! configure CARP on the LAN side
> # ifconfig carp1 create
> # ifconfig carp1 192.168.0.100/24 carpnodes 1:0,2:100 balancing ip \
> pass lanpasswd
>
>
> vi /etc/hostname.carp1
>
> inet 192.168.0.100 255.255.255.0 192.168.0.255 carpnodes 1:0,2:100
> balancing ip pass lanpasswd
>
>
> vi /etc/hostname.pfsync0
>
> up syncdev em1
>
>
>
>
> Configure fw2:
>
> ! enable preemption and group interface failover
> # sysctl -w net.inet.carp.preempt=1
>
>
> Uncomment net.inet.carp.preempt=1 in /etc/sysctl.conf in this way
>
> # less /etc/sysctl.conf |grep net.inet.carp.preempt=1
> net.inet.carp.preempt=1 # 1=Enable carp(4) preemption
>
>
> ! configure pfsync
> # ifconfig em1 192.168.9.68 netmask 255.255.255.0
> # ifconfig pfsync0 syncdev em1
> # ifconfig pfsync0 up
>
> ! configure CARP on the LAN side
> # ifconfig carp1 create
> # ifconfig carp1 192.168.0.100/24 carpnodes 1:100,2:0 balancing ip \
> pass lanpasswd
>
>
> vi /etc/hostname.carp1
>
> inet 192.168.0.100 255.255.255.0 192.168.0.255 carpnodes 1:100,2:0
> balancing ip pass lanpasswd
>
>
> vi /etc/hostname.pfsync0
>
> up syncdev em1
>
>
>
> Scp pf.conf and relayd.conf files to fw2 from fw1
>
>
> #
> hostname
>
> fw1.example.com
>
> # cd /etc/
>
> # scp pf.conf relayd.conf root@192.168.0.11:/etc/
> root@192.168.0.11's password:
> pf.conf
> 100% 1584 1.6KB/s 00:00
> relayd.conf
>
>
> Pls run below command on both nodes ( fw1 and fw2 )
>
>
> # pfctl -f /etc/pf.conf
>
> # relayd
>
>
> # pfctl -sr
> anchor "relayd/*" all
> pass on em1 proto pfsync all
> pass on em1 proto carp all
> pass on em0 proto carp all
> pass log all flags S/SA
>
>
> # relayctl show summary
> Id Type Name Avlblty Status
> 1 relay www active
> 1 table servers:80 active (2
> hosts)
> 1 host 192.168.0.66 2.94% up
> 2 host 192.168.0.67 3.92% up
> 2 relay smtp active
> 2 table servers:25 active (2
> hosts)
> 3 host 192.168.0.66 2.94% up
> 4 host 192.168.0.67 3.92% up
> 3 relay pop3 active
> 3 table servers:110 active (2
> hosts)
> 5 host 192.168.0.66 3.92% up
> 6 host 192.168.0.67 4.90% up
>
>
> =========
>
> Working files
>
> # ls -al
> /etc/pf.conf
>
> -rw------- 1 root wheel 1584 Aug 16 20:10 /etc/pf.conf
>
>
> # ls -al
> /etc/relayd.conf
>
> -rw------- 1 root wheel 684 Aug 17 13:57 /etc/relayd.conf
>
>
> # cat
> /etc/pf.conf
>
> # $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
> #
> # See pf.conf(5) for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ext_if="em0"
> pfsync_if="em1"
>
> servers = "{ 192.168.0.66, 192.168.0.67 }"
>
> set skip on lo
>
> # filter rules and anchor for ftp-proxy(8)
> #anchor "ftp-proxy/*"
> #pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
>
> # anchor for relayd(8)
> anchor "relayd/*"
>
> pass on em1 proto pfsync
> pass on { em0 em1 } proto carp
>
> ##END
>
> pass log # to establish keep-state
>
> # rules for spamd(8)
> #table <spamd-white> persist
> #table <nospamd> persist file "/etc/mail/nospamd"
> #pass in on egress proto tcp from any to any port smtp \
> # rdr-to 127.0.0.1 port spamd
> #pass in on egress proto tcp from <nospamd> to any port smtp
> #pass in log on egress proto tcp from <spamd-white> to any port smtp
> #pass out log on egress proto tcp to any port smtp
>
>
> #block in quick from urpf-failed to any # use with care
>
> # By default, do not permit remote connections to X11
> #block in on ! lo0 proto tcp to port 6000:6010
>
>
>
> # cat
> /etc/relayd.conf
>
> # $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
> #
> # Macros
> #
>
> ext_addr="192.168.0.100"
> webhost1="192.168.0.66"
> webhost2="192.168.0.67"
>
> table <servers> { $webhost1 $webhost2 }
>
> relay www {
> listen on $ext_addr port 80
> forward to <servers> port 80 mode loadbalance check tcp
> #forward to <servers> port 80 mode roundrobin check tcp
> }
>
> relay smtp {
> listen on $ext_addr port 25
> forward to <servers> port 25 mode loadbalance check tcp
> #forward to <servers> port 25 mode roundrobin check tcp
> }
>
> relay pop3 {
> listen on $ext_addr port 110
> forward to <servers> port 110 mode loadbalance check tcp
> #forward to <servers> port 110 mode roundrobin check tcp
> }
>
>
>
>
>
> #
> hostname
>
> fw1.example.com
>
>
> #
> ifconfig
>
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33152
> priority: 0
> groups: lo
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> inet 127.0.0.1 netmask 0xff000000
> em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
> mtu 1500
> lladdr 08:00:27:05:32:94
> priority: 0
> groups: egress
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet 192.168.0.10 netmask 0xffffff00 broadcast 192.168.0.255
> inet6 fe80::a00:27ff:fe05:3294%em0 prefixlen 64 scopeid 0x1
> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 08:00:27:6b:5b:6a
> priority: 0
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet6 fe80::a00:27ff:fe6b:5b6a%em1 prefixlen 64 scopeid 0x2
> inet 192.168.9.67 netmask 0xffffff00 broadcast 192.168.9.255
> enc0: flags=0<>
> priority: 0
> groups: enc
> status: active
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33152
> priority: 0
> groups: pflog
> pfsync0: flags=41<UP,RUNNING> mtu 1500
> priority: 0
> pfsync: syncdev: em1 maxupd: 128 defer: off
> groups: carp pfsync
> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:01
> priority: 0
> carp: carpdev em0 advbase 1 balancing ip
> state MASTER vhid 1 advskew 0
> state BACKUP vhid 2 advskew 100
> groups: carp
> status: master
> inet6 fe80::a00:27ff:fe05:3294%carp1 prefixlen 64 scopeid 0x7
> inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
>
>
>
> # hostname
> fw2.example.com
>
>
> #
> ifconfig
>
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33152
> priority: 0
> groups: lo
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> inet 127.0.0.1 netmask 0xff000000
> em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
> mtu 1500
> lladdr 08:00:27:14:36:90
> priority: 0
> groups: egress
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet 192.168.0.11 netmask 0xffffff00 broadcast 192.168.0.255
> inet6 fe80::a00:27ff:fe14:3690%em0 prefixlen 64 scopeid 0x1
> em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 08:00:27:b1:84:2d
> priority: 0
> media: Ethernet autoselect (1000baseT full-duplex)
> status: active
> inet6 fe80::a00:27ff:feb1:842d%em1 prefixlen 64 scopeid 0x2
> inet 192.168.9.68 netmask 0xffffff00 broadcast 192.168.9.255
> enc0: flags=0<>
> priority: 0
> groups: enc
> status: active
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33152
> priority: 0
> groups: pflog
> pfsync0: flags=41<UP,RUNNING> mtu 1500
> priority: 0
> pfsync: syncdev: em1 maxupd: 128 defer: off
> groups: carp pfsync
> carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 01:00:5e:00:01:01
> priority: 0
> carp: carpdev em0 advbase 1 balancing ip
> state BACKUP vhid 1 advskew 100
> state MASTER vhid 2 advskew 0
> groups: carp
> status: backup
> inet6 fe80::a00:27ff:fe14:3690%carp1 prefixlen 64 scopeid 0x7
> inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
>
>
>
>
>
>
>
> --
> Thank you
> Indunil Jayasooriya
