From owner-freebsd-questions@FreeBSD.ORG Fri Aug 1 03:54:03 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 311EF1065675 for ; Fri, 1 Aug 2008 03:54:03 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.232]) by mx1.freebsd.org (Postfix) with ESMTP id 013098FC16 for ; Fri, 1 Aug 2008 03:54:02 +0000 (UTC) (envelope-from biancalana@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1190958rvf.43 for ; Thu, 31 Jul 2008 20:54:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=f5gNfK7hfEtVrrzVVfRN7mdZO/DxbEWGI0fpeyn9NvU=; b=l1HmX3d3bsO3yZ9MdyAWrChA8X/qqB71oB9U4W5lp7INjLk7fCmj6JxygxjImS+iD6 N2TUIG+iP2ctpRTH/USvbKhZlZjXfAAnov1GyeUKKsTU+r3FCg4iuVad+ZavluKlKNQw R8SOaK0YQU9pEfywnh0UsiWNsQAuAhJovTmoI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=lXnN8UXuAbqpciMywd/4nC2KVtiwCvzyha+9Kwdih0RgsLvVPQXzKOAXaAzSPlRDzf 93Hyix/RiPSn54SBVX+pB7omh7vWdHZUmSvn9csaC4b6WoOv9bHCvQoxH500HpNBn5rh lCSvLHnlyWObLCKHQF0Zv1Pi9VdaBEF8KVkFQ= Received: by 10.140.191.14 with SMTP id o14mr5698948rvf.130.1217562842488; Thu, 31 Jul 2008 20:54:02 -0700 (PDT) Received: by 10.141.114.16 with HTTP; Thu, 31 Jul 2008 20:54:02 -0700 (PDT) Message-ID: <8e10486b0807312054i7b3ca5f1x19f4899ef5a638c3@mail.gmail.com> Date: Fri, 1 Aug 2008 00:54:02 -0300 From: "Alexandre Biancalana" To: "Nikos Vassiliadis" In-Reply-To: <200807301806.04141.nvass@teledomenet.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8e10486b0807292151wa67d464kfd906da08a2f8053@mail.gmail.com> <200807301239.59573.nvass@teledomenet.gr> <8e10486b0807300656j54a6fb31p65add890fd00bc8c@mail.gmail.com> <200807301806.04141.nvass@teledomenet.gr> Cc: questions@freebsd.org Subject: Re: carp+openospfd X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Aug 2008 03:54:03 -0000 On 7/30/08, Nikos Vassiliadis wrote: > On Wednesday 30 July 2008 16:56:23 Alexandre Biancalana wrote: > > On 7/30/08, Nikos Vassiliadis wrote: > > > On Wednesday 30 July 2008 07:51:52 Alexandre Biancalana wrote: > > > > Hi list, (I already ask this on -net, but I get no answers) > > > > > > > > I have two 100Mbit link (L2L, lan to lan) between the company and > > > > our datacenter, on each side I have two redudant (pf+carp) > > > > firewalls. > > > > > > > > I configured one vlan for each 100Mbit link and used carp to do > > > > the failover between machines on each side, the vlan interfaces are > > > > configured without ip address (with Max's > > > > carpdev patch), only carp interfaces have ips. > > > > > > > > I want to use OpenOSPFD to distribute our internal routes and do > > > > automatic failover+loadbalance of this two 100Mbit links. > > > > > > > > This work ? Someone have a similar setup ? Any hints ? > > > > > > I think using OSPF and CARP on the same interface could have > > > unexpected results. > > > > I see some examples > > > You get to have two ways to forward packet to a destination. > One via CARP and one via OSPF. I think it's a possible source > of errors. > > > > > > > I would use CARP on the "lan to lan" link to provide redundancy > > > and load balancing. Do you have to use OSPF? > > > That is, is there an OSPF domain in which you have to be part of? > > > > I use CARP for firewall redundancy on each side. I want to use OSPF to > > easy distribute routes on my networks, the failover and load balance > > of the links are a desirable plus. > > > So, there is an OSPF domain besides the four FreeBSD firewalls, right? Is what I want to configure.... > > Could you provide your network's topology? > Is it something like: > LAN1----CLUSTER1====CLUSTER2----LAN2 > where: > CLUSTER1 = CARP(FW1, FW2) > CLUSTER2 = CARP(FW3, FW4) Local Network Datacenter Network FW1 (master) FW3(master) Link1(100Mbit) (10.0.0.49/30) carp206 <------------------------------> carp20 (10.0.0.50/30) (10.0.0.45/30) carp207 <------------------------------> carp30 (10.0.0.46/30) Link2 (100Mbit) FW2 (slave) FW4(slave) Yes, in my setup I want to do failover of the firewalls (if FW1 crash FW2 assume the two links, firewall rules,etc) and loadbalance+failover of two 100Mbit links (I want to use the two links together (100+100) and if one of then fail all the traffic be routed to another) The firewalls failover this is working great with Carp. My difficulties is to configure OpenOSPFD to distribute routes in this setup, the links failover+loadbalance comes naturally after ospf running. > For example, in the above diagram you cannot load > balance the traffic, it will always go through the > same routers: > FW1 and FW3 or > FW1 and FW4 or > FW2 and FW3 or > FW2 and FW4. > > It will of course failover in case of a FW failure. Yes. Only one firewall is master on each side. > > > > I would use CARP on the "lan to lan" link to provide redundancy > > and load balancing. > > > So, my suggestion above is false, at least with the current > CARP on FreeBSD. > > Please supply more info about your setup, I hope that you understand, if not I can draw something more detailed. Thank you for your time. Alexandre