Re: arpbalance + pfsync

Mon, 27 Mar 2006 02:36:53 -0800 

Ryan McBride wrote:

On Mon, Mar 27, 2006 at 12:32:31PM +0900, Jason Stubbs wrote:
Same main question as in the last thread I posted to, but without any of the distractions. Can a pair of redundant firewalls be used with arpbalance without being affected by the "state race"? 

It should work fine with arpbalance, as there shouldn't be a "state
race"; effectively each host is being served by only one firewall unless
there is a failure.



To show exactly what is going on:

# hostname -s
fw1
# for x in /etc/hostname.carp*; do echo $x: $(<$x); done

/etc/hostname.carp0: inet 192.168.1.193 255.255.255.0 192.168.1.255 vhid 
1 pass carp0dev carpdev fxp0 advskew 0
/etc/hostname.carp1: inet 192.168.1.193 255.255.255.0 192.168.1.255 vhid 
2 pass carp0dev carpdev fxp0 advskew 100
/etc/hostname.carp2: inet 10.0.0.1 255.255.0.0 10.0.255.255 vhid 3 pass 
carp2dev carpdev em0 advskew 0
/etc/hostname.carp3: inet 10.0.0.1 255.255.0.0 10.0.255.255 vhid 4 pass 
carp2dev carpdev em0 advskew 100

# ifconfig | tail -n 16
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        carp: MASTER carpdev fxp0 vhid 1 advbase 1 advskew 0
        groups: carp
        inet 192.168.1.193 netmask 0xffffff00 broadcast 192.168.1.255
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        carp: BACKUP carpdev fxp0 vhid 2 advbase 1 advskew 100
        groups: carp
        inet 192.168.1.193 netmask 0xffffff00 broadcast 192.168.1.255
carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        carp: MASTER carpdev em0 vhid 3 advbase 1 advskew 0
        groups: carp
        inet 10.0.0.1 netmask 0xffff0000 broadcast 10.0.255.255
carp3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        carp: BACKUP carpdev em0 vhid 4 advbase 1 advskew 100
        groups: carp
        inet 10.0.0.1 netmask 0xffff0000 broadcast 10.0.255.255
# sysctl net.inet.carp.{preempt,arpbalance}
net.inet.carp.preempt=1
net.inet.carp.arpbalance=1
# pfctl -s nat
rdr on fxp0 inet from any to 192.168.1.193 -> 10.0.1.1


# hostname -s
fw2
# for x in /etc/hostname.carp*; do echo $x: $(<$x); done

/etc/hostname.carp0: inet 192.168.1.193 255.255.255.0 192.168.1.255 vhid 
1 pass carp0dev carpdev fxp0 advskew 100
/etc/hostname.carp1: inet 192.168.1.193 255.255.255.0 192.168.1.255 vhid 
2 pass carp0dev carpdev fxp0 advskew 0
/etc/hostname.carp2: inet 10.0.0.1 255.255.0.0 10.0.255.255 vhid 3 pass 
carp2dev carpdev em0 advskew 100
/etc/hostname.carp3: inet 10.0.0.1 255.255.0.0 10.0.255.255 vhid 4 pass 
carp2dev carpdev em0 advskew 0

# ifconfig | tail -n 16
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        carp: BACKUP carpdev fxp0 vhid 1 advbase 1 advskew 100
        groups: carp
        inet 192.168.1.193 netmask 0xffffff00 broadcast 192.168.1.255
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        carp: MASTER carpdev fxp0 vhid 2 advbase 1 advskew 0
        groups: carp
        inet 192.168.1.193 netmask 0xffffff00 broadcast 192.168.1.255
carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        carp: BACKUP carpdev em0 vhid 3 advbase 1 advskew 100
        groups: carp
        inet 10.0.0.1 netmask 0xffff0000 broadcast 10.0.255.255
carp3: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        carp: MASTER carpdev em0 vhid 4 advbase 1 advskew 0
        groups: carp
        inet 10.0.0.1 netmask 0xffff0000 broadcast 10.0.255.255
# sysctl net.inet.carp.{preempt,arpbalance}
net.inet.carp.preempt=1
net.inet.carp.arpbalance=1
# pfctl -s nat
rdr on fxp0 inet from any to 192.168.1.193 -> 10.0.1.1


Then from 10.0.1.1 (linux box):

# arping -I br0 -c 1 10.0.0.1
ARPING 10.0.0.1 from 10.0.1.1 br0
Unicast reply from 10.0.0.1 [00:00:5E:00:01:04]  0.745ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)


Then from one box on the 192.168.1.0/24 side:

# arping -c 1 192.168.1.193; ping -c 1 192.168.1.193
ARPING 192.168.1.193 from 192.168.1.4 eth0
Unicast reply from 192.168.1.193 [00:00:5E:00:01:02]  0.638ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
PING 192.168.1.193 (192.168.1.193) from 192.168.1.4 : 56(84) bytes of data.
64 bytes from 192.168.1.193: icmp_seq=0 ttl=63 time=376 usec

--- 192.168.1.193 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/mdev = 0.376/0.376/0.376/0.000 ms


But from a different box on the 192.168.1.0/24 side:

# arping -c 1 192.168.1.193; ping -c 1 192.168.1.193
ARPING 192.168.1.193 from 192.168.1.8 eth0
Unicast reply from 192.168.1.193 [00:00:5E:00:01:01]  1.175ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
PING 192.168.1.193 (192.168.1.193) 56(84) bytes of data.

--- 192.168.1.193 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms




The above doesn't surprise me so much. What surprises me is that I'm the 
only one that seems to be having this problem. What am I missing here?

(If it's something really simple, feel free to berate me. ;)

--
Jason Stubbs























					Reply via email to