CARP Failover

Mike Barnard mike.barnardq at gmail.com
Fri Jan 28 08:14:23 UTC 2011 

Hi,

I have two firewalls, FW1 and FW2. Each server has three interfaces, bce0,
bce1 and bce2 and of course the carp interfaces.

FW1:
bce0: 41.xxx.yyy.244/29
bce1: 172.19.254.14/30
bce2: 41.xxx.yyy.252/29
carp0: 41.202.229.243
carp1: 41.202.229.251

FW2:
bce0: 41.xxx.yyy.245/29
bce1: 172.19.254.15/30
bce2: 41.xxx.yyy.253/29
carp0: 41.202.229.243
carp1: 41.202.229.251

FW1 is connected to SW1 and FW2 is connected to SW2. Both SW1 and SW2
connected to the aggregating switch.


I have configured CARP in failover mode and the interesting thing is both
firewall carp interfaces come up as master:

FW1:
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 41.xxx.yyy.243 netmask 0xfffffff8
        carp: MASTER vhid 1 advbase 1 advskew 1
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 41.xxx.yyy.251 netmask 0xfffffff8
        carp: MASTER vhid 2 advbase 1 advskew 1

FW2:
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 41.xxx.yyy.243 netmask 0xfffffff8
        carp: MASTER vhid 1 advbase 1 advskew 100
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 41.xxx.yyy.251 netmask 0xfffffff8
        carp: MASTER vhid 2 advbase 1 advskew 100

The pfsync0 interfaces on both are configured thus:

FW1:
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
        pfsync: syncdev: bce1 syncpeer: 172.19.254.15 maxupd: 128

FW2:
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
        pfsync: syncdev: bce1 syncpeer: 172.19.254.14 maxupd: 128


my sysctl variables on both firewalls are set thus:

net.inet.carp.allow=1           # Allow the firewall to accept CARP packets
net.inet.carp.preempt=1         # Allow firewalls to failover when one goes
down
net.inet.ip.forwarding=1        # Allow packet forwarding through the
firewalls


Am I missing something, mis-configured something or somehow missed something
out?

Thanks.


-- 
Mike

Of course, you might discount this possibility, but remember that one in
a million chances happen 99% of the time.
------------------------------------------------------------

More information about the freebsd-net mailing list