On 2018-09-11, Tim Jones <b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch> wrote: > I've had a quick look through the man pages and am still a bit unclear, > perhaps I'm just overthinking this ? > > Let's say I've got two perimeter "firewalls" running OpenBSD, talking BGP to > upstream routers. > > On the "LAN" side I'm thinking about CARP, which is active/passive, and the > devices on "LAN" side will have the CARP set as their default gateway. > > If both BGP talkers advertise the "LAN" to the upstreams (i.e. "network > 192.0.2.0/24" in bgpd.conf), how does that work in terms of reachability from > the device that is currently CARP passive ? > > The man pages mention two CARP related configuration options for bgpd.conf > but these don't seem to cater for the application I'm thinking of ? (i.e. > "demote" is more related to waiting until BGP is established, and "depend > on" is related to staying in idle if CARP is passive, which is obviously not > an attractive idea as I'd obviously like both upstreams BGP sessions active ? > ). > >
If both are advertising the same prefixes, packets could arrive at either router, so to do this you'll need an IP address on the "carpdev interface" i.e. the interface that carp is running over. PF does TCP sequence number checking, so to avoid problems there you'll also need one of the following - not use PF - use PF rules with "keep state (sloppy)" - use pfsync(4) with the "defer" flag Alternatively maybe you could control advertising the network by not listing it in config, but use "bgpctl network" commands from ifstated or similar, that way directing traffic towards the correct machine. Either advertise with low localpref when you have carp backup and switch to high localpref when you have master. Or (probably only really useful within your own network) advertise the whole lan all the time, but also advertise deaggregates from the machine with carp master.
