On Wednesday, 12 September 2018 20:49, Stuart Henderson <s...@spacehopper.org> wrote:
> On 2018-09-11, Tim Jones b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch > wrote: > > > I've had a quick look through the man pages and am still a bit unclear, > > perhaps I'm just overthinking this ? > > Let's say I've got two perimeter "firewalls" running OpenBSD, talking BGP > > to upstream routers. > > On the "LAN" side I'm thinking about CARP, which is active/passive, and the > > devices on "LAN" side will have the CARP set as their default gateway. > > If both BGP talkers advertise the "LAN" to the upstreams (i.e. "network > > 192.0.2.0/24" in bgpd.conf), how does that work in terms of reachability > > from the device that is currently CARP passive ? > > The man pages mention two CARP related configuration options for bgpd.conf > > but these don't seem to cater for the application I'm thinking of ? (i.e. > > "demote" is more related to waiting until BGP is established, and "depend > > on" is related to staying in idle if CARP is passive, which is obviously > > not an attractive idea as I'd obviously like both upstreams BGP sessions > > active ? ). > > If both are advertising the same prefixes, packets could arrive at > either router, so to do this you'll need an IP address on the "carpdev > interface" i.e. the interface that carp is running over. > > PF does TCP sequence number checking, so to avoid problems there you'll > also need one of the following > > - not use PF > - use PF rules with "keep state (sloppy)" > - use pfsync(4) with the "defer" flag > > Alternatively maybe you could control advertising the network by not > listing it in config, but use "bgpctl network" commands from ifstated or > similar, that way directing traffic towards the correct machine. Either > advertise with low localpref when you have carp backup and switch to > high localpref when you have master. Or (probably only really useful > within your own network) advertise the whole lan all the time, but also > advertise deaggregates from the machine with carp master. > Thank you Stuart ! Based on your comments I've just spent in a bit of time with ifstated and it seems that was the missing link. Fails over nicely now with both BGP instances advertising but changing prefs.
