From owner-freebsd-net@FreeBSD.ORG Mon Apr 13 04:46:09 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3BD4C1065674 for ; Mon, 13 Apr 2009 04:46:09 +0000 (UTC) (envelope-from craigcocca@yahoo.com) Received: from web31108.mail.mud.yahoo.com (web31108.mail.mud.yahoo.com [68.142.200.41]) by mx1.freebsd.org (Postfix) with SMTP id ED5EE8FC08 for ; Mon, 13 Apr 2009 04:46:08 +0000 (UTC) (envelope-from craigcocca@yahoo.com) Received: (qmail 84342 invoked by uid 60001); 13 Apr 2009 04:19:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1239596367; bh=lQg+81yhqXeK5FnkbHdfIvSaHEf0dgQsyjwcotISg2E=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=YJqfu+cA5Nd6tGfv9NOaWH96wXQu7GvMpbcuaOhKi3pdoMz47q17VDB6mgfYlQ5RDgDYe7TozrMekwaL4qJp/Jx+w6jOqHYsHQyflXRrRdbkWxaorAW72Ul0d41wWpcxYVIPUtyG7SRVb1+2X1V/mLDWjKXA5qh78Jil0AxZLFw= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=3Q+dXUKq+h6knFURPE4Tmhs/nDSJdhd9AxUDawZ2odRvhf9ol42By+sv8A6mbpkA9sddMfHN6X6TAhYGkMT95hUTLPgKqGLDCL2QkKN8I+dAcOLZyOYGoTBQPiN4HqKpbmUVqCzvSJkyHoX6uEHOe9Y2FjcKjSTeiLaszqdXO2c=; Message-ID: <798192.81782.qm@web31108.mail.mud.yahoo.com> X-YMail-OSG: CCWdgZAVM1kudAhysjRCMcI8psx_o4Mnnx8awe6LMi8QikZytwHWu1TDu05sf.RURl2NlSW_fzNWh46p3UCNHPObGcgGJx_EE1JhSXbGMqlqN2sFwj3AEhbG.IwjUX5okgADmrBnoKbzAf0H1EsX9IdPUnxjM4b3BLlnXQYih3SFoIczZ4qjxAFQUaRXLe8fQs3E8ussyaJwStoykNUhDGOAaQzUE1MpsGwDzIB894d0RadhgY0ACYiYeSWHHQ3Lk.cRsmN2ABFxOBJ6wlFOHxFld25ZkBtYVeQ480JsWhSG5kmcyzD0LA-- Received: from [96.229.140.205] by web31108.mail.mud.yahoo.com via HTTP; Sun, 12 Apr 2009 21:19:27 PDT X-Mailer: YahooMailRC/1277.35 YahooMailWebService/0.7.289.1 Date: Sun, 12 Apr 2009 21:19:27 -0700 (PDT) From: Craig Cocca To: freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Problem using Carp with NAT for High Availability Firewall X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Apr 2009 04:46:09 -0000 I have been experimenting recently with using Carp on FreeBSD 6.1 to implem= ent a high-availability firewall. I have two FreeBSD 6.1 machines set up, = each with their own static IP address, and both machines share a virtual IP= (VIP), which is the gateway IP for the machines behind the firewalls. My = network topology looks like this:=0A=0A Internet=0A = Switch=0A |=0A |---------------= -----------------|=0AFirewall 1 Firewall 2=0A10.0.0.1 = 10.0.0.2=0A 192.168.0.1 (VIP)=0A|----------= ---------------|-------------------|=0AServer 1 Server 2 Ser= ver N=0A=0A=0AI have been successful in getting the two firewall machines s= et up so that the slave machine takes over the VIP from the master if the m= aster machine loses connectivity. However, when the master comes back onli= ne and takes over the VIP again, I'm noticing something really odd, namely = that traffic starts going to the master again but ends up getting "swallowe= d alive" by the kernel. =0A=0AIn other words, I can have one of the machin= es behind the firewalls sending out a ping to a host on the Internet when t= he slave is servicing the VIP, and I will see traffic on Firewall 2's (slav= e's) inside and outside interfaces. As soon as the master comes online and= takes over the VIP from the slave again, I see the traffic switch to the i= nside interface of the master (I see this by watching tcpdump), but I don't= see the traffic getting routed to the outside interface! Either I am doin= g something wrong, or there is some kind of bug in Carp. Can anyone shed s= ome light on this? One other interesting thing to add to the mystery is th= at if I wait exactly 15 minutes from when the master takes back over the VI= P, the traffic starts getting routed again.=0A=0AThanks,=0A=0ACraig=0A=0A= =0A