Re: OpenBSD for routing & firewalling a 100Mbit/s connection

Sat, 01 Dec 2007 12:40:23 -0800 

Carl Roberso ??????:

Henning Brauer wrote:

6000 irq/s is not much.
increase sysctl net.inet.ip.ifq.maxlen.



Thank you v-e-r-y much Henning, this seems to have cured the problem.

Another problem seems left, anyway. :(

I'm running bgpd on both OpenBSD boxes: it's really a fine piece of
software, but when dealing with a setup like mine (same box does PF & BGP
routing, from here "the firewall"), you can get in trouble when using one
BGP session per-provider-per-firewall, and the uplink ISP get you some
packets on firewall A, some others on firewall B (so, there isn't a priority
on BGP session). Another similar problem arise when the firewall B becomes
master, the firewall A stops to packets flow, but maybe it's BGP sessions
remains acrive (the "most" active, or the really one with most priority,
depends on the ISP).. and packet confusion starts.

Of course a "solutions" seems to have a BGP session actived ONLY when a
given firewall is active.. but this means that when instantly (without
losing the TCP sessions) CARP help to switch to the "secondary" firewall..
everything will be blocked, waiting for the BGP session to download routes.

Any of you guys has a hint also for this situation (that's having concurrent
BGP sessions, but making sure that the "master firewall" gets all packets
coming from all BGP sessions, without mangling with PF states)?

Again, thank you in advance.

The BGP problem is solved by doing this:
You need 3 IPs for communicating with each provider. Let's say you have 172.16.0.1, 172.16.0.2 and 172.16.0.3 to communicate with ISP1. You setup 172.16.0.1 on Firewall #1, 172.16.0.2 on Firewall #2, and you set up 172.16.0.3 on both of them with CARP. Then you establish BGP sessions from 172.16.0.1 and 172.16.0.2 to your provider, and tell the provider to set next-hop for both of them to 172.16.0.3 This way both of the sessions are live, and traffic goes to the active machine. Once it fails, the other one takes over the common 172.16.0.3 and keeps receiving the traffic without waiting for BGP timeouts, nor BGP prefix download or something else. 
Do the same with ISP2 and you're ready to go.

Regards,
Doichin

Reply via email to