On 5/5/07, Henning Brauer <[EMAIL PROTECTED]> wrote:
>
> * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2007-05-03 20:58]:
> > Any recommendations on running BGP on redundant firewalls to multiple
> > providers advertising the same network thru both links, and talking iBGP
> > with the other firewall?
>
> that is what I am doing here as well as at multiple customer sites.
>
> > Just asking because I ran into a problem with this
> > scenario when traffic would enter 1 host, traverse the iBGP crossover
> link
> > and then exit the 2nd host, and  return traffic would come back in thru
> the
> > 1st host. There was a mismatch of the states that seemed to cause my
> > problems.
>
> not seen that.
> you could suffer from the carp route screwup issue I just committed a
> fix for in -current. I'll attach it, it'llapply for 4.1 too.
> in general, "bgpctl sh nexthop" is your friend to debug this.


  can you elaborate a little more on the "carp route" issue. i had been
working with the 2 firewall/2 provider/ibgp/pf/pfsync setup about 3 months
ago and hit a wall when traffic flowed a certain direction - so  i moved to
the 2 router + 2 firewall setup that cleared it up, so my memories a little
foggy about the exact issue. but I'm willing to try the 2 firewall setup
again as this will cost us so much less when we clone this configuration
from our office to our data center. thanks.

--
> Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
>
>
> Index: ip_carp.c
> ===================================================================
> RCS file: /cvs/src/sys/netinet/ip_carp.c,v
> retrieving revision 1.135
> diff -u -p -r1.135 ip_carp.c
> --- ip_carp.c   27 Mar 2007 21:58:16 -0000      1.135
> +++ ip_carp.c   28 Mar 2007 23:18:51 -0000
> @@ -368,15 +368,18 @@ carp_setroute(struct carp_softc *sc, int
>         struct ifaddr *ifa;
>         int s;
>
> +       /* XXX this mess needs fixing */
> +
>         s = splsoftnet();
>         TAILQ_FOREACH(ifa, &sc->sc_if.if_addrlist, ifa_list) {
>                 switch (ifa->ifa_addr->sa_family) {
>                 case AF_INET: {
> -                       int count = 0;
> +                       int count = 0, error;
>                         struct sockaddr sa;
>                         struct rtentry *rt;
>                         struct radix_node_head *rnh;
>                         struct radix_node *rn;
> +                       struct rt_addrinfo info;
>                         int hr_otherif, nr_ourif;
>
>                         /*
> @@ -395,9 +398,15 @@ carp_setroute(struct carp_softc *sc, int
>                         }
>
>                         /* Remove the existing host route, if any */
> -                       rtrequest(RTM_DELETE, ifa->ifa_addr,
> -                           ifa->ifa_addr, ifa->ifa_netmask,
> -                           RTF_HOST, NULL, 0);
> +                       bzero(&info, sizeof(info));
> +                       info.rti_info[RTAX_DST] = ifa->ifa_addr;
> +                       info.rti_info[RTAX_GATEWAY] = ifa->ifa_addr;
> +                       info.rti_info[RTAX_NETMASK] = ifa->ifa_netmask;
> +                       info.rti_flags = RTF_HOST;
> +                       error = rtrequest1(RTM_DELETE, &info, NULL, 0);
> +                       rt_missmsg(RTM_DELETE, &info, info.rti_flags,
> NULL,
> +                           error, 0);
> +
>
>                         /* Check for our address on another interface */
>                         /* XXX cries for proper API */
> @@ -420,26 +429,39 @@ carp_setroute(struct carp_softc *sc, int
>                                 if (hr_otherif) {
>                                         ifa->ifa_rtrequest = NULL;
>                                         ifa->ifa_flags &= ~RTF_CLONING;
> -
> -                                       rtrequest(RTM_ADD, ifa->ifa_addr,
> -                                           ifa->ifa_addr,
> ifa->ifa_netmask,
> -                                           RTF_UP | RTF_HOST, NULL, 0);
> +                                       bzero(&info, sizeof(info));
> +                                       info.rti_info[RTAX_DST] =
> ifa->ifa_addr;
> +                                       info.rti_info[RTAX_GATEWAY] =
> ifa->ifa_addr;
> +                                       info.rti_info[RTAX_NETMASK] =
> ifa->ifa_netmask;
> +                                       info.rti_flags = RTF_UP |
> RTF_HOST;
> +                                       error = rtrequest1(RTM_ADD, &info,
> NULL, 0);
> +                                       rt_missmsg(RTM_ADD, &info,
> info.rti_flags, NULL,
> +                                           error, 0);
>                                 }
>                                 if (!hr_otherif || nr_ourif || !rt) {
>                                         if (nr_ourif && !(rt->rt_flags &
> -                                           RTF_CLONING))
> -                                               rtrequest(RTM_DELETE, &sa,
> -                                                   ifa->ifa_addr,
> -                                                   ifa->ifa_netmask, 0,
> NULL,
> -                                                   0);
> +                                           RTF_CLONING)) {
> +                                               bzero(&info,
> sizeof(info));
> +                                               info.rti_info[RTAX_DST] =
> &sa;
> +                                               info.rti_info[RTAX_GATEWAY]
> = ifa->ifa_addr;
> +                                               info.rti_info[RTAX_NETMASK]
> = ifa->ifa_netmask;
> +                                               error =
> rtrequest1(RTM_DELETE, &info, NULL, 0);
> +                                               rt_missmsg(RTM_DELETE,
> &info, info.rti_flags, NULL,
> +                                                   error, 0);
> +                                       }
>
>                                         ifa->ifa_rtrequest =
> arp_rtrequest;
>                                         ifa->ifa_flags |= RTF_CLONING;
>
> -                                       if (rtrequest(RTM_ADD,
> ifa->ifa_addr,
> -                                           ifa->ifa_addr,
> ifa->ifa_netmask, 0,
> -                                           NULL, 0) == 0)
> +                                       bzero(&info, sizeof(info));
> +                                       info.rti_info[RTAX_DST] =
> ifa->ifa_addr;
> +                                       info.rti_info[RTAX_GATEWAY] =
> ifa->ifa_addr;
> +                                       info.rti_info[RTAX_NETMASK] =
> ifa->ifa_netmask;
> +                                       error = rtrequest1(RTM_ADD, &info,
> NULL, 0);
> +                                       if (error == 0)
>                                                 ifa->ifa_flags |=
> IFA_ROUTE;
> +                                       rt_missmsg(RTM_ADD, &info,
> info.rti_flags, NULL,
> +                                           error, 0);
>                                 }
>                                 break;
>                         case RTM_DELETE:

Reply via email to