Problems with carp

Giulio Ferro auryn at zirakzigil.org
Mon Oct 9 01:00:26 PDT 2006 

I'm some strange behaviour with carp in FreeBSD.

I have a simple redundant firewall configuration: Each machine has
three Realtek Gibabit network interfaces, one toward Internet, one toward
LAN, and one toward each other with a cross cable for syncronization
The PCs have 2GHz. celerons. The firewall software is pf, the os is Freebsd
6.2 prerel. (updated last friday). In the rules I have:
pass quick proto carp
pass quick proto pfsync

On the master firewall the redundant interfaces are set like this
ifconfig_carp0="vhid 1 pass <password> <common external ip>/<mask>"
ifconfig_carp1="vhid 2 pass <password> <common internal ip>/<mask>"

on the backup firewall
ifconfig_carp0="vhid 1 pass <password> <common external ip>/<mask> 
advskew 100"
ifconfig_carp1="vhid 2 pass <password> <common internal ip>/<mask> 
advskew 100"

As long as there is only one firewall everything works fine. When I 
start the backup firewall
this unexplainadly becomes the master, and the one which was master 
becomes backup!

Another strange behavior is that an ifconfig on firewall 2 will show the 
advskew of the
LAN carp interface to be 0, not 100 (on the Internet if it's set 
correctly to 100).
I have to set it manually to 100 to make it work.

This configuration works fine, even if it's not what I want (I'd like 
the first firewall to be
master). Another problem comes out when I power down the second 
firewall. The first
firewall becomes master again, BUT the common interface is lost. That 
is, if I try to ping
the common IP from a machine on the LAN, it doesn't get any answer. Only the
physical interace seems to work. Even a ifconfig carp0 arp doesn't any 
good. I have to
restart the firewall to make it work properly again..

Another problem is that the interfaces don't fail as a group. Of course 
I have
net.inet.carp.preempt=1
but if I try to unplug a cable from firewall 2, that carp interface 
becomes INIT, but the other
interface stays MASTER. Specularly on firewall 1 the corrisponding carp 
interface becomes
MASTER, but the other stays BACKUP. Result : nothing works any more...

I hope someone has some good ideas why this happens. I hope this is the 
right place to
ask these questions, but I couldn't  find a carp-related mailing list...

More information about the freebsd-cluster mailing list