Ryan McBride wrote:
On Mon, Mar 27, 2006 at 12:32:31PM +0900, Jason Stubbs wrote:
Same main question as in the last thread I posted to, but without any of
the distractions. Can a pair of redundant firewalls be used with
arpbalance without being affected by the "state race"?
It should work fine with arpbalance, as there shouldn't be a "state
race"; effectively each host is being served by only one firewall unless
there is a failure.
Thanks for the reply.
Machines on either side of the pair of firewalls are effectively bound
to a single firewall. When both the client and the server have been
balanced to the same firewall, everything works correctly. The problem
only occurs when a client is bound to the first firewall while the
server it is accessing is bound to the second firewall.
The configuration I'm testing is essentially:
hostname.carp0: 192.168.1.193 ... vhid 1 ... advskew 0
hostname.carp1: 192.168.1.193 ... vhid 2 ... advskew 100
hostname.carp3: 192.168.2.1 ... vhid 3 ... advskew 0
hostname.carp4: 192.168.2.1 ... vhid 4 ... advskew 100
The advskew is reversed on the second machine and ifconfig shows that
MASTER/BACKUP states are correct. pf.conf is essentially:
rdr from any to 192.168.1.193 -> 192.168.2.2
192.168.2.2 is a server with a default route of 192.168.2.1.
What version of OpenBSD are you trying to do this with? There have been
some bugs fixed in both the pfsync and arpbalance code over the past
year...
I've tried with both 3.8 stable and current but no (complete) success
with either. Is there something wrong with the configuration above?
--
Jason Stubbs
