On 5/5/07, Henning Brauer <[EMAIL PROTECTED]> wrote: > > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-05-03 20:58]: > > Any recommendations on running BGP on redundant firewalls to multiple > > providers advertising the same network thru both links, and talking iBGP > > with the other firewall? > > that is what I am doing here as well as at multiple customer sites. > > > Just asking because I ran into a problem with this > > scenario when traffic would enter 1 host, traverse the iBGP crossover > link > > and then exit the 2nd host, and return traffic would come back in thru > the > > 1st host. There was a mismatch of the states that seemed to cause my > > problems. > > not seen that. > you could suffer from the carp route screwup issue I just committed a > fix for in -current. I'll attach it, it'llapply for 4.1 too. > in general, "bgpctl sh nexthop" is your friend to debug this.
can you elaborate a little more on the "carp route" issue. i had been working with the 2 firewall/2 provider/ibgp/pf/pfsync setup about 3 months ago and hit a wall when traffic flowed a certain direction - so i moved to the 2 router + 2 firewall setup that cleared it up, so my memories a little foggy about the exact issue. but I'm willing to try the 2 firewall setup again as this will cost us so much less when we clone this configuration from our office to our data center. thanks. -- > Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] > BS Web Services, http://bsws.de > Full-Service ISP - Secure Hosting, Mail and DNS Services > Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam > > > Index: ip_carp.c > =================================================================== > RCS file: /cvs/src/sys/netinet/ip_carp.c,v > retrieving revision 1.135 > diff -u -p -r1.135 ip_carp.c > --- ip_carp.c 27 Mar 2007 21:58:16 -0000 1.135 > +++ ip_carp.c 28 Mar 2007 23:18:51 -0000 > @@ -368,15 +368,18 @@ carp_setroute(struct carp_softc *sc, int > struct ifaddr *ifa; > int s; > > + /* XXX this mess needs fixing */ > + > s = splsoftnet(); > TAILQ_FOREACH(ifa, &sc->sc_if.if_addrlist, ifa_list) { > switch (ifa->ifa_addr->sa_family) { > case AF_INET: { > - int count = 0; > + int count = 0, error; > struct sockaddr sa; > struct rtentry *rt; > struct radix_node_head *rnh; > struct radix_node *rn; > + struct rt_addrinfo info; > int hr_otherif, nr_ourif; > > /* > @@ -395,9 +398,15 @@ carp_setroute(struct carp_softc *sc, int > } > > /* Remove the existing host route, if any */ > - rtrequest(RTM_DELETE, ifa->ifa_addr, > - ifa->ifa_addr, ifa->ifa_netmask, > - RTF_HOST, NULL, 0); > + bzero(&info, sizeof(info)); > + info.rti_info[RTAX_DST] = ifa->ifa_addr; > + info.rti_info[RTAX_GATEWAY] = ifa->ifa_addr; > + info.rti_info[RTAX_NETMASK] = ifa->ifa_netmask; > + info.rti_flags = RTF_HOST; > + error = rtrequest1(RTM_DELETE, &info, NULL, 0); > + rt_missmsg(RTM_DELETE, &info, info.rti_flags, > NULL, > + error, 0); > + > > /* Check for our address on another interface */ > /* XXX cries for proper API */ > @@ -420,26 +429,39 @@ carp_setroute(struct carp_softc *sc, int > if (hr_otherif) { > ifa->ifa_rtrequest = NULL; > ifa->ifa_flags &= ~RTF_CLONING; > - > - rtrequest(RTM_ADD, ifa->ifa_addr, > - ifa->ifa_addr, > ifa->ifa_netmask, > - RTF_UP | RTF_HOST, NULL, 0); > + bzero(&info, sizeof(info)); > + info.rti_info[RTAX_DST] = > ifa->ifa_addr; > + info.rti_info[RTAX_GATEWAY] = > ifa->ifa_addr; > + info.rti_info[RTAX_NETMASK] = > ifa->ifa_netmask; > + info.rti_flags = RTF_UP | > RTF_HOST; > + error = rtrequest1(RTM_ADD, &info, > NULL, 0); > + rt_missmsg(RTM_ADD, &info, > info.rti_flags, NULL, > + error, 0); > } > if (!hr_otherif || nr_ourif || !rt) { > if (nr_ourif && !(rt->rt_flags & > - RTF_CLONING)) > - rtrequest(RTM_DELETE, &sa, > - ifa->ifa_addr, > - ifa->ifa_netmask, 0, > NULL, > - 0); > + RTF_CLONING)) { > + bzero(&info, > sizeof(info)); > + info.rti_info[RTAX_DST] = > &sa; > + info.rti_info[RTAX_GATEWAY] > = ifa->ifa_addr; > + info.rti_info[RTAX_NETMASK] > = ifa->ifa_netmask; > + error = > rtrequest1(RTM_DELETE, &info, NULL, 0); > + rt_missmsg(RTM_DELETE, > &info, info.rti_flags, NULL, > + error, 0); > + } > > ifa->ifa_rtrequest = > arp_rtrequest; > ifa->ifa_flags |= RTF_CLONING; > > - if (rtrequest(RTM_ADD, > ifa->ifa_addr, > - ifa->ifa_addr, > ifa->ifa_netmask, 0, > - NULL, 0) == 0) > + bzero(&info, sizeof(info)); > + info.rti_info[RTAX_DST] = > ifa->ifa_addr; > + info.rti_info[RTAX_GATEWAY] = > ifa->ifa_addr; > + info.rti_info[RTAX_NETMASK] = > ifa->ifa_netmask; > + error = rtrequest1(RTM_ADD, &info, > NULL, 0); > + if (error == 0) > ifa->ifa_flags |= > IFA_ROUTE; > + rt_missmsg(RTM_ADD, &info, > info.rti_flags, NULL, > + error, 0); > } > break; > case RTM_DELETE: