kern/93829: Pfsync state time problem with CARP + Arp.Balance

Gleb Smirnoff glebius at FreeBSD.org
Sun Feb 26 03:10:10 PST 2006 

The following reply was made to PR kern/93829; it has been noted by GNATS.

From: Gleb Smirnoff <glebius at FreeBSD.org>
To: "C.Dornig" <c_dornig at gmx.de>
Cc: mlaier at FreeBSD.org, dhartmei at FreeBSD.org, freebsd-gnats-submit at FreeBSD.org
Subject: Re: kern/93829: Pfsync state time problem with CARP + Arp.Balance
Date: Sun, 26 Feb 2006 14:08:43 +0300

 On Sat, Feb 25, 2006 at 02:24:25PM +0000, C.Dornig wrote:
 C> I have a problem with CARP + pf + pfsync in arp.balance mode.
 C> I have config 2 Cluster Routing / netfilter machines with carp + arpbalance.
 C> 
 C> The pf rule a the same on both server.
 C> if the servers run in none arp.balance mode the rules are all fine and working perfektli.
 C> But, if i turn on arp.balance than i become follow problem.
 C> I made a ping (icmp packet) from my client pc (Client-LAN) to the Server behind the PF Cluster in other LAN.
 C> The first packet goes through the PFCluster1 and the back packet goes through 6luster2. But, the state information from the first packet to the server is not fast enough on the PFCluster2 machine and because the pf rules, the back packet will blocked. The next packet from client to server will passed also the back traffic.
 C> 
 C> With out arp.balance the rule are ok, and all traffic will passed and the states will write correct. Only routing without pf are all ok.
 C> 
 C> I have made all network diagnostics. I have made tcpdump on all interfaces and the carps are all OK. Also pfsync packets will receive and send from each machine. The two machine can send and receive packet each other.
 C> 
 C> I think there is a time probleme from the pfsync. I mean that pfsync send too slow the state change to the other.
 
 You have a race between three computers - both CARP routers, and the host
 behind them. The ICMP packet can reach the host and be replied faster,
 then the state information is sent from one CARP router to another. I think,
 this problem is not solvable at all, so we must state that ARP load balancing
 is not compatible with pfsync(4).
 
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE

More information about the freebsd-pf mailing list