[pf4freebsd] Re: why multiple CARP groups

Wed Sep 15 21:12:41 PDT 2004

On Tuesday 17 August 2004 20:22, Max Laier wrote:
> On Tuesday 17 August 2004 10:58, sam wrote:
> > Hi,
> >
> > I need to get adviced by someone  for the usage of CARP+pfsync.
> > With the BIG example as described in the following page:
> > http://www.countersiege.com/doc/pfsync-carp/#big
> > I don't understand why create a different CARP group for each
> > application server instead of using only one CARP interface for 4
> > internal application servers is better.
> >
> > With only one CARP address for 4 application servers, traffic still can
> > be redirected to another app server if one is died. Unless one CARP
> > address is not efficient.
> >
> > Can anyone please explain the difference using multiple CARP groups
> > instead of one CARP address?
>
> The example uses a "rdr source-hash" rule to load balance over the four
> virtual addresses. You cannot use the CARP version of source-hash as the
> clients are behind the firewalls and will not balance as a result.

Sorry, meant to say: "You cannot use the CARP arpbalance ..." with the same 
effect and (now much clearer (I hope)) reasoning. The servers will see only 
the firewall arps and not those of the clients. While they will indeed see 
the IP-Addresses, but CARP loadbalances on the arp-level. This is uses to 
loadbalance between the two firewalls, btw.

> If one server dies one of the remaining 3 takes over and has to take twice
> the load until the failed server comes back (or the admin modifies the rdr
> rule).

-- 
/"\  Best regards,			| mlaier at freebsd.org
\ /  Max Laier				| ICQ #67774661
 X   http://pf4freebsd.love2party.net/	| mlaier at EFnet
/ \  ASCII Ribbon Campaign		| Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: signature
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20040916/ac7735aa/attachment.bin