biancalana at gmail.com
Fri Aug 1 03:54:03 UTC 2008
On 7/30/08, Nikos Vassiliadis <nvass at teledomenet.gr> wrote:
> On Wednesday 30 July 2008 16:56:23 Alexandre Biancalana wrote:
> > On 7/30/08, Nikos Vassiliadis <nvass at teledomenet.gr> wrote:
> > > On Wednesday 30 July 2008 07:51:52 Alexandre Biancalana wrote:
> > > > Hi list, (I already ask this on -net, but I get no answers)
> > > >
> > > > I have two 100Mbit link (L2L, lan to lan) between the company and
> > > > our datacenter, on each side I have two redudant (pf+carp)
> > > > firewalls.
> > > >
> > > > I configured one vlan for each 100Mbit link and used carp to do
> > > > the failover between machines on each side, the vlan interfaces are
> > > > configured without ip address (with Max's
> > > > carpdev patch), only carp interfaces have ips.
> > > >
> > > > I want to use OpenOSPFD to distribute our internal routes and do
> > > > automatic failover+loadbalance of this two 100Mbit links.
> > > >
> > > > This work ? Someone have a similar setup ? Any hints ?
> > >
> > > I think using OSPF and CARP on the same interface could have
> > > unexpected results.
> > I see some examples
> You get to have two ways to forward packet to a destination.
> One via CARP and one via OSPF. I think it's a possible source
> of errors.
> > > I would use CARP on the "lan to lan" link to provide redundancy
> > > and load balancing. Do you have to use OSPF?
> > > That is, is there an OSPF domain in which you have to be part of?
> > I use CARP for firewall redundancy on each side. I want to use OSPF to
> > easy distribute routes on my networks, the failover and load balance
> > of the links are a desirable plus.
> So, there is an OSPF domain besides the four FreeBSD firewalls, right?
Is what I want to configure....
> Could you provide your network's topology?
> Is it something like:
> CLUSTER1 = CARP(FW1, FW2)
> CLUSTER2 = CARP(FW3, FW4)
FW1 (master) FW3(master)
(10.0.0.49/30) carp206 <------------------------------> carp20 (10.0.0.50/30)
(10.0.0.45/30) carp207 <------------------------------> carp30 (10.0.0.46/30)
FW2 (slave) FW4(slave)
Yes, in my setup I want to do failover of the firewalls (if FW1 crash
FW2 assume the two links, firewall rules,etc) and loadbalance+failover
of two 100Mbit links (I want to use the two links together (100+100)
and if one of then fail all the traffic be routed to another)
The firewalls failover this is working great with Carp. My
difficulties is to configure OpenOSPFD to distribute routes in this
setup, the links failover+loadbalance comes naturally after ospf
> For example, in the above diagram you cannot load
> balance the traffic, it will always go through the
> same routers:
> FW1 and FW3 or
> FW1 and FW4 or
> FW2 and FW3 or
> FW2 and FW4.
> It will of course failover in case of a FW failure.
Yes. Only one firewall is master on each side.
> > I would use CARP on the "lan to lan" link to provide redundancy
> > and load balancing.
> So, my suggestion above is false, at least with the current
> CARP on FreeBSD.
> Please supply more info about your setup,
I hope that you understand, if not I can draw something more detailed.
Thank you for your time.
More information about the freebsd-questions