From owner-freebsd-stable@freebsd.org Wed Mar 1 10:33:41 2017 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 130FBCF34FC for ; Wed, 1 Mar 2017 10:33:41 +0000 (UTC) (envelope-from markus.gebert@hostpoint.ch) Received: from mail.adm.hostpoint.ch (mail.adm.hostpoint.ch [IPv6:2a00:d70:0:a::e0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D0A7F5E7 for ; Wed, 1 Mar 2017 10:33:40 +0000 (UTC) (envelope-from markus.gebert@hostpoint.ch) Received: from [2001:1620:2013:1:507a:7fc7:24af:e9e7] (port=56785) by mail.adm.hostpoint.ch with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.88 (FreeBSD)) (envelope-from ) id 1cj1Zf-000M7y-T3; Wed, 01 Mar 2017 11:33:35 +0100 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\)) Subject: Re: CARP forcing failover From: Markus Gebert In-Reply-To: Date: Wed, 1 Mar 2017 11:33:33 +0100 Cc: freebsd-stable Content-Transfer-Encoding: quoted-printable Message-Id: References: To: Aristedes Maniatis X-Mailer: Apple Mail (2.3259) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Mar 2017 10:33:41 -0000 > On 1 Mar 2017, at 01:58, Aristedes Maniatis wrote: >=20 > I have a pair network gateway boxes running FreeBSD 11 and pf. = Upstream runs VRRP to provide redundant links, one to each gateway. = Internally I'm using CARP for failover. >=20 > All works well, but I find that manually failing over the link is a = bit complicated. In short I have this: >=20 > em0: flags=3D8943 = metric 0 mtu 1500 > media: Ethernet autoselect (100baseTX ) > status: active > carp: BACKUP vhid 1 advbase 1 advskew 50 > igb0: flags=3D8943 = metric 0 mtu 1500 > media: Ethernet autoselect (1000baseT ) > status: active > carp: BACKUP vhid 2 advbase 1 advskew 50 > igb0.2: flags=3D8943 = metric 0 mtu 1500 > status: active > vlan: 2 vlanpcp: 0 parent interface: igb0 > carp: BACKUP vhid 3 advbase 1 advskew 50 > groups: vlan >=20 > That's two internal vlans and one external network. Each interface has = its own vhid since that's the advice I had in the past. >=20 > Now, what command can I type that I could run remotely (SSH over the = em0 link) to force all the CARP addresses simultaneously to decrease the = advskew and become MASTER. Alternatively I could run something on the = MASTER to make it BACKUP. Everything I've done so far is one command per = interface which has got me in trouble before as I manage to accidentally = remove my own access to the box before I'm done. You may look into this sysctl: # sysctl -d net.inet.carp.demotion net.inet.carp.demotion: Adjust demotion factor (skew of advskew) Its value gets changed automatically if some event occurs (look into = net.inet.carp.ifdown_demotion_factor, = net.inet.carp.senderr_demotion_factor, net.pfsync.carp_demotion_factor), = but you may also control it manually. A positive value value will = increase the advskew of _all_ CARP announcements (on the wire, not = visible with ifconfig IIRC) and therefore reduce the priority of the = node. A negative value will of course do the opposite. Like this you can = raise/lower the advskew above/below the other node and trigger a = failover. net.inet.carp.preempt must be 1 on both nodes for this to have = an immediate effect. Beware that net.inet.carp.demotion expects _relative_ values when = altered through the sysctl interface. So 'sysctl = net.inet.carp.demotion=3D100' will increase its current value by 100 and = 'sysctl net.inet.carp.demotion=3D-100' will decrease its current value = by 100. Markus