Le 05/09/2011 19:30, Stuart Henderson a icrit :
On 2011-09-05, Mathieu Blanc<mathieu.bl...@smile.fr> wrote:
So the ingoing traffic goes into bsd1, and the servers now use bsd2 to
go out.
Is it not a problem ? In terms of firewalling for example (keep state ?
will bsd2 authorize the trafic which is initiated by bsd1 ? maybe with
the help of pfsync ??)
pfsync(4) can handle this if you use 'defer', see the pfsync manpage,
but this is normally only desirable for load-balancing.
I read the manpage, and it seems to match exactly with what i want to do :
"Where more than one firewall might actively handle packets, e.g. with
certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial to
defer transmission of the initial packet of a connection. The pfsync
state insert message is sent immediately; the packet is queued until
either this message is acknowledged by another system, or a timeout has
expired."
This is for load-sharing between 2 firewalls, you don't want it for a
typical setup with 1 active and 1 passive firewall as it delays things
If I take my previous example :
Network A [interconnection with others routers] = 192.168.1.0/24
(configured on em0, and carp0)
presumably you are announcing the networks behind bsd1/bsd2 over
ospf to your other routers; so I don't think carp0 is useful.
Network B [network with servers] = 172.16.1.0/24 (configured on em1, and
carp1, used by servers for default gateway)
em2 is for pfsync.
The ospfd.conf is very simple.
bsd1# ifconfig -A
em0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
em1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST>
inet 172.16.1.1 netmask 0xffffff00 broadcast 172.16.1.255
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.99.1 netmask 0xfffffffc broadcast 172.16.99.3
pfsync0: flags=41<UP,RUNNING> mtu 1500
pfsync: syncdev: em2 syncpeer: 172.16.99.2 maxupd: 128 defer: off
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
carp: MASTER carpdev em0 vhid 170 advbase 1 advskew 80
inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
carp: MASTER carpdev em1 vhid 171 advbase 1 advskew 120
inet 172.16.1.100 netmask 0xffffff00 broadcast 172.16.1.255
bsd1# cat /etc/ospfd.conf
area 0.0.0.0 {
interface em0
interface em1
interface carp0 { passive }
interface carp1 { passive }
}
I would:-
remove "interface carp0 { passive }" from ospfd.conf
remove "interface em1" from ospfd.conf
ospfctl reload
ifconfig carp0 destroy
rm /etc/hostname.carp0
Wow !
It works like a charm ;)
I now have just *one* route to Network B on my routers (routers in
Network A) : the IP of bsd1 (192.168.1.1 in my example), which is
currently master.
If I do a carp demote on bsd1, the route change to bsd2 (192.168.1.1).
So there is no problem like I mentionned last time (ingoing traffic goes
to bsd1 and outgoing traffic by bsd2).
Thank you very much for your help ! It's exactly what I tried to do :)
Mathieu
