From owner-freebsd-questions@FreeBSD.ORG Sun Aug 27 21:35:27 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48D7F16A4DF for ; Sun, 27 Aug 2006 21:35:27 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.187.76.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89BD143D46 for ; Sun, 27 Aug 2006 21:35:26 +0000 (GMT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from [IPv6:::1] (localhost [IPv6:::1]) by smtp.infracaninophile.co.uk (8.13.8/8.13.8) with ESMTP id k7RLZ1Mi009252; Sun, 27 Aug 2006 22:35:01 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk from=m.seaman@infracaninophile.co.uk; sender-id=softfail; spf=softfail X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk k7RLZ1Mi009252 Message-ID: <44F20FFF.10306@infracaninophile.co.uk> Date: Sun, 27 Aug 2006 22:34:55 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 1.5.0.5 (X11/20060801) MIME-Version: 1.0 To: freebsd@gorlani.net References: <000d01c6c9ff$89d0e510$4b0cfea9@thebeast> In-Reply-To: <000d01c6c9ff$89d0e510$4b0cfea9@thebeast> X-Enigmail-Version: 0.94.0.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigD5633FB85B77B7FF1E8DC9E5" X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (smtp.infracaninophile.co.uk [IPv6:::1]); Sun, 27 Aug 2006 22:35:22 +0100 (BST) X-Virus-Scanned: ClamAV 0.88.4/1736/Sun Aug 27 17:33:34 2006 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00, DKIM_POLICY_TESTING,NO_RELAYS autolearn=ham version=3.1.4 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Understanding CARP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Aug 2006 21:35:27 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD5633FB85B77B7FF1E8DC9E5 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable freebsd@gorlani.net wrote: > Hi > I'm new to FreeBSD but I'm loving it very much! I'm experimenting with= CARP > to create a redundant router/firewall. > I created a functioning two machine routing cluster and it works very w= ell > while configured for failover. I'm going to test it with load balancing= and > I'm wondering about some problems that could arise. > Suppose I enable load balancing features. > Situation: my cluster (made by CL1 and CL2) routes from Net A to Net B.= I > have an A_client and a B_Server. A_Client initiates a connection to B_S= erver > and the packet is routed by the CL1 machine. > The response packet comes from the B network (it is from B_Server) and = is > taken by CL2 to be routed (asymmetric routing problem, as documented in= the > man page). If no packet filtering occurs, there is no problem. But what= if I > use IPFilter? Is there a way to keep the state between CL1 and CL2 with= > IPFilter?=20 If you're using CARP, then you should combine it with pf(8) rather than IPFilter. CARP was written by the same people that wrote pf. =20 As for keeping state between both halves of a redundant firewall pair, you need pfsync(4) -- generally that takes a dedicated network link betwe= en both sides of the HA pair -- usually just a cross-over cable. pfsync=20 will replicate the state table to the other half of the HA pair, so failo= ver can be made seamless. See http://www.openbsd.org/faq/pf/carp.html=20 You can't actually do any *load balance* with CARP. It's purely a High Availability function. For firewalls it is usually used in Active/Standb= y mode: one of the firewall pair handles all the traffic and the other just= =20 waits to take over if needed. You can make an Active/Active pair by configuring two carp VIFs on the pair and setting the weightings so that each side gets one of the VIFs preferentially when everything is working = OK, but again, there's nothing there to actually *balance* the traffic over t= he two VIFs. Also, as a very reasonably priced machine nowadays will be able to cope with running as a firewall at full 100Mb/s line speed on its= own, it generally doesn't achieve anything other than making the configur= ation a lot more complex. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigD5633FB85B77B7FF1E8DC9E5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE8hAF8Mjk52CukIwRCG5VAJ4qq748mI3YBV1P/T2t09QWnMaZnACfbHl+ 3yJwenBpcvvznXLrnKv47vY= =Q1bp -----END PGP SIGNATURE----- --------------enigD5633FB85B77B7FF1E8DC9E5--