On Mon, Jan 02, 2006 at 01:26:07PM +0100, Pailloncy Jean-Gerard wrote:
> Hi,
>
> I get a new block of 256 IPs. And my provider gives me two cables and
> two gateways (a.b.c.1 and a.b.c.2) inside my block (a.b.c.0/24).
>
> I want to install a redundant filter made from two soekris.
> I do some tests on my desk, with a redundant bridge. But I got storm
> of packet (loop of 8000 packets/s) from a single ping thru the bridge.
> I ask Ryan & Henning at EuroBSCon'05, and they say 'I really want to
> have a redundant router' (and not a bridge).
>
> I do not understand how to setup a router with IPs from the same
> block on each side.
You should configure CARP on the internal interface; this will give you
an IP address, say a.b.c.8, which points to whatever Soekris is 'master'
at the time. Set this as default gateway on all hosts in a.b.c.0/24 but
the routers themselves.
Now for the Soekrises. For the easiest setup, use one cable per Soekris.
Configure CARP on the internal interface; assign it a.b.c.8, with
netmask 255.255.255.0.
The external interface should be assigned, say, a.b.c.3 resp. a.b.c.4.
Give them a netmask of 255.255.255.247. This will allow you 8 addresses
'on the outside' (for a slightly more efficient implementation, use
a.b.c.0 and a.b.c.3, then set your netmask to .251 - you'll not waste
any IP addresses that way, but a.b.c.0 might just be reserved, and
you'll need one more address for CARP anyway, if you want to do that).
Now, since more specific entries trump more generic, the Soekrises will
route a.b.c.0/28 to the outside routers and the rest of a.b.c.0/24 to
your internal network.
This takes care of redundancy 'from the inside'; if you wish to host
redundant services, you'll have to do some more work. Notably, you'll
have to find some way - BGP? OSPF? - to tell the ISP's routers that
Soekris #1 is out of commission, and to please route everything to
Soekris #2 (i.e., over a.b.c.2).
Either that, or repeat the CARP procedure. Which one is easiest/works
best is hard to say - CARP, for instance, needs broadcasts; on the other
hand, BGP is only for people with their own ASes... hard to tell without
more information. And outside of the scope of your question, anyway.
Also see pfsync(4) for keeping the states synchronized, and sasyncd(8)
if you wish to keep IPsec states synchronized.
Joachim
