Or re-write next-hop to the carp address, so carp actually decides the master firewall.
/T Den tors 13 sep. 2018 kl 00:20 skrev Tim Jones < b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch>: > > On Wednesday, 12 September 2018 20:49, Stuart Henderson < > s...@spacehopper.org> wrote: > > > On 2018-09-11, Tim Jones > b631093f-779b-4d67-9ffe-5f6d5b1d3...@protonmail.ch wrote: > > > > > I've had a quick look through the man pages and am still a bit > unclear, perhaps I'm just overthinking this ? > > > Let's say I've got two perimeter "firewalls" running OpenBSD, talking > BGP to upstream routers. > > > On the "LAN" side I'm thinking about CARP, which is active/passive, > and the devices on "LAN" side will have the CARP set as their default > gateway. > > > If both BGP talkers advertise the "LAN" to the upstreams (i.e. > "network 192.0.2.0/24" in bgpd.conf), how does that work in terms of > reachability from the device that is currently CARP passive ? > > > The man pages mention two CARP related configuration options for > bgpd.conf but these don't seem to cater for the application I'm thinking of > ? (i.e. "demote" is more related to waiting until BGP is established, and > "depend on" is related to staying in idle if CARP is passive, which is > obviously not an attractive idea as I'd obviously like both upstreams BGP > sessions active ? ). > > > > If both are advertising the same prefixes, packets could arrive at > > either router, so to do this you'll need an IP address on the "carpdev > > interface" i.e. the interface that carp is running over. > > > > PF does TCP sequence number checking, so to avoid problems there you'll > > also need one of the following > > > > - not use PF > > - use PF rules with "keep state (sloppy)" > > - use pfsync(4) with the "defer" flag > > > > Alternatively maybe you could control advertising the network by not > > listing it in config, but use "bgpctl network" commands from > ifstated or > > similar, that way directing traffic towards the correct machine. > Either > > advertise with low localpref when you have carp backup and switch to > > high localpref when you have master. Or (probably only really useful > > within your own network) advertise the whole lan all the time, but > also > > advertise deaggregates from the machine with carp master. > > > > Thank you Stuart ! > > Based on your comments I've just spent in a bit of time with ifstated and > it seems that was the missing link. Fails over nicely now with both BGP > instances advertising but changing prefs. > >
