The really cool combination of CARP and ifstated enabled a nice
work-around. The attached ifstated.conf works great in my
active-passive firewall cluster setup. At least it survived all
violent testing conducted over the past few hours. But it still needs
to prove itself in the longer term.
Actually, this solution does more than simply running dhclient on CARP
would do. With one exception: I could not you figure out how to
transition from a passive-active firewall cluster to an active-active
configuration without having a CARP interface with a dynamic IP
address that connects to the ISP. Therefore, I would still be
interested in getting dhclient to work on a CARP interface.
Also, I welcome your feedback about the solution outlined below.
Thanks,
Rolf
A few remarks on the ifstated.conf shown below:
a) vlan11 is a VLAN bound to the same NIC as carp12. dhclient is run
on vlan11 (Actually, carp12 is bound to vlan11, which in turn is bound
to the physical NIC liniking to upstream).. dhclient assigns the
dynamic IP address to vlan11 whenever a node of a cluster is in master
state. Nodes in backup state kill dhclient, delete the dynamic IP
address from their vlan11, change the default route from the ISP
router to the firewall's virtual cluster address (which is here
carp100 = 10.0.0.1) and kill and restart some daemons with some
modified parameters:
- dhcpd runs only on the master node;
- ntpd pn the backup node(s) get their time reference from the master
node, to avoid doubling the load on external time servers;
- only one ez-ipupdate instance running on the master node takes care
of updating my dynamic DNS service provider;
b) carp12 is a CARP interface on the same NIC that connects to the ISP
modem. carp12 is bound to a fixed IP address. The ifstated
configuration below uses it just for detecting the state(-changes) of
the upstream link, e.g. it is not the CARP interface I would like to
run dhclient on (which would be carp11).
c) You can replace vlan11 by any other vlan, or by a phsyical
interface, such as fxp2 for example. You can replace carp12 by any
other CARP interface as long as it is a reliable state indicator of
each node in the cluster.
[EMAIL PROTECTED]:root]# cat /etc/ifstated.conf
init-state startState
carpUp = "carp12.link.up"
carpDown = "!carp12.link.up"
state startState {
if $carpUp
set-state masterState
if $carpDown
set-state backupState
}
state masterState {
init {
# assert services are killed to avoid duplicates in case the were still up,
# for ex. after a restart of ifstated restart while masterState was never left
run "/usr/bin/pkill -9 ntpd"
run "/usr/bin/pkill -9 dhcpd"
run "/usr/bin/pkill -9 ez-ipupdate"
run "/usr/bin/pkill -9 dhclient"
run "/sbin/dhclient vlan11"
run "/usr/local/bin/ez-ipupdate -c /etc/ez-ipupdate.conf"
run "/usr/sbin/dhcpd"
#run "/usr/sbin/ntpd -s -f /etc/ntpd_masterState.conf"
run "/usr/sbin/ntpd -f /etc/ntpd_masterState.conf"
}
if $carpDown set-state backupState
}
state backupState {
init {
run "/usr/bin/pkill -9 ntpd"
run "/usr/bin/pkill -9 dhcpd"
run "/usr/bin/pkill -9 ez-ipupdate"
run "/usr/bin/pkill -9 dhclient"
run "/sbin/ifconfig vlan11 delete"
run "/sbin/route change default 10.0.0.1"
#run "/usr/sbin/ntpd -s -f /etc/ntpd_backupState.conf"
run "/usr/sbin/ntpd -f /etc/ntpd_backupState.conf"
}
if $carpUp set-state masterState
}
