carp+pfsync+freevrrpd+jail

Anton Nikiforov anton at nikiforov.ru
Thu Jul 6 19:46:25 UTC 2006 

Dear all.
I have the following trouble:
Using carp and pfsync i have made the redundand firewall (OS is 6.1p2 
and everything is done like in mans, even ifconfig options)
The only thing that is different that i have 2 ethernet interface (one 
for crosover link and the other is the paren interface for vlans)

host1
ifconfig_vlan101="inet X.Y.Z.1 netmask 255.255.255.0 broadcast X.Y.Z.255 
vlan 101 vlandev em0"
ifconfig_carp0="vhid 1 pass abc X.Y.Z.3"
ifconfig_vlan100="inet A.B.C.1 netmask 255.255.255.0 broadcast A.B.C.255 
vlan 100 vlandev em0"
ifconfig_carp1="vhid 1 pass abc A.B.C.3"
ifconfig_pfsync0="up syncif em1"

host2
ifconfig_vlan101="inet X.Y.Z.2 netmask 255.255.255.0 broadcast X.Y.Z.255 
vlan 101 vlandev em0"
ifconfig_carp0="vhid 1 advskew 100 pass abc X.Y.Z.3"
ifconfig_vlan100="inet A.B.C.2 netmask 255.255.255.0 broadcast A.B.C.255 
vlan 100 vlandev em0"
ifconfig_carp0="vhid 1 advskew 100 pass abc A.B.C.3"
ifconfig_pfsync0="up syncif em1"


What i have is that when i'm pinging carp0 (inet) or carp1(lan) 
interface's ip address of my firewall - i'm receivind DUP responses.

And when host2 is ths slave and i'm starting to ping carp0 address - no 
traffic appears on master host - that means that the local carp 
interface responding to my packets..

That means that in case some service (provided by jail managed by 
freevrrpd) will be accessed from outside - i cannot be sure what host 
will answer the request.

I have done some tests. When i'm sshing to virtual IP - sometimes i'm 
getting ssh prompt and can login, and sometimes it says that host auth 
info is bad (yes, because second server answering me at this time) and 
sometimes i'm loosing ssh connection while session is active.

net.inet.carp.preempt = 1
net.inet.carp.log=2
net.inet.carp.arpbalance=0

No ballance needed. I want to have some service run in main OS, some 
services run in jail and i want to be sure which host will answer the 
request when bouth hosts are up and running.

Could please someone direct me what to do or where to read?

Best regards,
Anton Nikiforov

More information about the freebsd-stable mailing list