Date: Sun, 26 Feb 2006 11:10:10 GMT From: Gleb Smirnoff <glebius@FreeBSD.org> To: freebsd-pf@FreeBSD.org Subject: Re: kern/93829: Pfsync state time problem with CARP + Arp.Balance Message-ID: <200602261110.k1QBAA6N063039@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/93829; it has been noted by GNATS. From: Gleb Smirnoff <glebius@FreeBSD.org> To: "C.Dornig" <c_dornig@gmx.de> Cc: mlaier@FreeBSD.org, dhartmei@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: kern/93829: Pfsync state time problem with CARP + Arp.Balance Date: Sun, 26 Feb 2006 14:08:43 +0300 On Sat, Feb 25, 2006 at 02:24:25PM +0000, C.Dornig wrote: C> I have a problem with CARP + pf + pfsync in arp.balance mode. C> I have config 2 Cluster Routing / netfilter machines with carp + arpbalance. C> C> The pf rule a the same on both server. C> if the servers run in none arp.balance mode the rules are all fine and working perfektli. C> But, if i turn on arp.balance than i become follow problem. C> I made a ping (icmp packet) from my client pc (Client-LAN) to the Server behind the PF Cluster in other LAN. C> The first packet goes through the PFCluster1 and the back packet goes through 6luster2. But, the state information from the first packet to the server is not fast enough on the PFCluster2 machine and because the pf rules, the back packet will blocked. The next packet from client to server will passed also the back traffic. C> C> With out arp.balance the rule are ok, and all traffic will passed and the states will write correct. Only routing without pf are all ok. C> C> I have made all network diagnostics. I have made tcpdump on all interfaces and the carps are all OK. Also pfsync packets will receive and send from each machine. The two machine can send and receive packet each other. C> C> I think there is a time probleme from the pfsync. I mean that pfsync send too slow the state change to the other. You have a race between three computers - both CARP routers, and the host behind them. The ICMP packet can reach the host and be replied faster, then the state information is sent from one CARP router to another. I think, this problem is not solvable at all, so we must state that ARP load balancing is not compatible with pfsync(4). -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200602261110.k1QBAA6N063039>