pf and carp, BACKUP host dropping connection
Sebastiaan van Erk
sebster at sebster.com
Tue Apr 21 21:01:06 UTC 2009
Stanislav Sedov wrote:
> On Mon, 20 Apr 2009 14:21:10 +0200
> Sebastiaan van Erk <sebster at sebster.com> mentioned:
>> I think once I have pfsync the problem will go away due to the
>> synchronized state (the backups won't block anymore), but it still seems
>> strange to me that all 3 machines will then be actively filtering the
>> packets...
>>
>> Does anybody know what's going on?
>>
>
> I'd suggest to look first why all of them're receiving this traffic. It
> looks like something is not right in the network itself.
After reading about CARP some more, I think that's the expected behavior:
--- http://www.openbsd.org/faq/faq6.html#CARP ---
How it works: CARP is a multicast protocol. It groups several physical
computers together under one or more virtual addresses. Of these, one
system is the master and responds to all packets destined for the group,
the other systems act as hot spares.
--- http://www.openbsd.org/faq/faq6.html#CARP ---
Since I don't have pfsync enabled yet the other two machines don't have
the propper state and will drop the connection. Normally this would only
pollute the log, but on the internal networks I don't want connections
to hang for long periods so I do "block return". This causes pf to
respond to the traffic since it doesn't know anything about the machine
being a carp backup, and thus the originating host receives a RST and
drops the connection.
I'm wondering if the combination block return + carp is going to work at
all, even with pfsync... I will do some more research on that.
Regards,
Sebastiaan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3328 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.freebsd.org/pipermail/freebsd-cluster/attachments/20090421/0cc96273/smime.bin
More information about the freebsd-cluster
mailing list