Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 12 Apr 2009 21:19:27 -0700 (PDT)
From:      Craig Cocca <craigcocca@yahoo.com>
To:        freebsd-net@freebsd.org
Subject:   Problem using Carp with NAT for High Availability Firewall
Message-ID:  <798192.81782.qm@web31108.mail.mud.yahoo.com>
next in thread | raw e-mail | index | archive | help 
I have been experimenting recently with using Carp on FreeBSD 6.1 to implem=
ent a high-availability firewall.  I have two FreeBSD 6.1 machines set up, =
each with their own static IP address, and both machines share a virtual IP=
 (VIP), which is the gateway IP for the machines behind the firewalls.  My =
network topology looks like this:=0A=0A                    Internet=0A     =
                Switch=0A                       |=0A       |---------------=
-----------------|=0AFirewall 1                     Firewall 2=0A10.0.0.1  =
                    10.0.0.2=0A             192.168.0.1 (VIP)=0A|----------=
---------------|-------------------|=0AServer 1         Server 2        Ser=
ver N=0A=0A=0AI have been successful in getting the two firewall machines s=
et up so that the slave machine takes over the VIP from the master if the m=
aster machine loses connectivity.  However, when the master comes back onli=
ne and takes over the VIP again, I'm noticing something really odd, namely =
that traffic starts going to the master again but ends up getting "swallowe=
d alive" by the kernel.  =0A=0AIn other words, I can have one of the machin=
es behind the firewalls sending out a ping to a host on the Internet when t=
he slave is servicing the VIP, and I will see traffic on Firewall 2's (slav=
e's) inside and outside interfaces.  As soon as the master comes online and=
 takes over the VIP from the slave again, I see the traffic switch to the i=
nside interface of the master (I see this by watching tcpdump), but I don't=
 see the traffic getting routed to the outside interface!  Either I am doin=
g something wrong, or there is some kind of bug in Carp.  Can anyone shed s=
ome light on this?  One other interesting thing to add to the mystery is th=
at if I wait exactly 15 minutes from when the master takes back over the VI=
P, the traffic starts getting routed again.=0A=0AThanks,=0A=0ACraig=0A=0A=
=0A

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?798192.81782.qm>