Re: backup firewall connectivity

Fri, 28 Dec 2007 06:20:18 -0800 

> * Aaron <[EMAIL PROTECTED]> [2007-12-28 03:24]:
>> I am wondering,  in a dual firewall situation, preemption enabled, carp
>> working just fine (i think), is it normal that the backup firewall (when
>> in
>> backup state) has no connectivity on any of the carped interfaces?
>
> that depends wether you "external" carp interface has numbered or
> unnumbered parents.
> if the parents ("carpdev") are unnumbered (no ipassigned),it is quite
> normal. otherwise you have sth wrong.
>
> --
> Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED]
> BS Web Services, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
>
>
how depressing.. ok.. here is some information, please let me know if
there are other things I should include.

The firewall is a plain jane supermicro pd4sa with a p4 2ghz and 512Mb
memory.  I am not currently at the location with the box so i don't have a
dmesg to post.

There are 5 physical interfaces on the machine, fxp0-3 and rl0 which I use
for my pfsync interface.

in my best ascii art, this is the machine layout.

             |---------------------|
------------- wanA/carp0           carp2-----dmz-
             |                     |
------------- wanB/carp1           carp3------lan
             |---------------------|


Here are my interface configs:

main firewall fxp0:
inet 10.125.221.2 255.255.255.0 NONE
main firewall fxp1:
inet 10.126.221.2 255.255.255.0 NONE

backup firewall fxp0:
inet 10.125.221.3 255.255.255.0 NONE
backup firewall fxp1:
inet 10.126.221.3 255.255.255.0 NONE

main firewall Carp0:
inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass
tester1
inet alias 192.168.3.66 255.255.255.224
inet alias 192.168.3.67 255.255.255.224
inet alias 192.168.3.68 255.255.255.224
inet alias 192.168.3.69 255.255.255.224
inet alias 192.168.3.70 255.255.255.224
inet alias 192.168.3.71 255.255.255.224
inet alias 192.168.3.72 255.255.255.224
inet alias 192.168.3.73 255.255.255.224
inet alias 192.168.3.74 255.255.255.224
inet alias 192.168.3.75 255.255.255.224
inet alias 192.168.3.76 255.255.255.224
inet alias 192.168.3.77 255.255.255.224
inet alias 192.168.3.78 255.255.255.224
inet alias 192.168.3.79 255.255.255.224
inet alias 192.168.3.80 255.255.255.224
inet alias 192.168.3.81 255.255.255.224
inet alias 192.168.3.82 255.255.255.224
inet alias 192.168.3.83 255.255.255.224
inet alias 192.168.3.84 255.255.255.224
inet alias 192.168.3.85 255.255.255.224
inet alias 192.168.3.86 255.255.255.224
inet alias 192.168.3.87 255.255.255.224
inet alias 192.168.3.88 255.255.255.224
inet alias 192.168.3.89 255.255.255.224
inet alias 192.168.3.90 255.255.255.224
inet alias 192.168.3.91 255.255.255.224
inet alias 192.168.3.92 255.255.255.224
inet alias 192.168.3.93 255.255.255.224

main firewall Carp1:
inet 192.168.3.129 255.255.255.224 192.168.3.159 vhid 2 carpdev fxp1 pass
tester2
inet alias 192.168.3.130 255.255.255.224
inet alias 192.168.3.131 255.255.255.224
inet alias 192.168.3.132 255.255.255.224
inet alias 192.168.3.133 255.255.255.224
inet alias 192.168.3.134 255.255.255.224
inet alias 192.168.3.135 255.255.255.224
inet alias 192.168.3.136 255.255.255.224
inet alias 192.168.3.137 255.255.255.224
inet alias 192.168.3.138 255.255.255.224
inet alias 192.168.3.139 255.255.255.224
inet alias 192.168.3.140 255.255.255.224
inet alias 192.168.3.141 255.255.255.224
inet alias 192.168.3.142 255.255.255.224
inet alias 192.168.3.143 255.255.255.224
inet alias 192.168.3.144 255.255.255.224
inet alias 192.168.3.145 255.255.255.224
inet alias 192.168.3.146 255.255.255.224
inet alias 192.168.3.147 255.255.255.224
inet alias 192.168.3.148 255.255.255.224
inet alias 192.168.3.149 255.255.255.224
inet alias 192.168.3.150 255.255.255.224
inet alias 192.168.3.151 255.255.255.224
inet alias 192.168.3.152 255.255.255.224
inet alias 192.168.3.153 255.255.255.224
inet alias 192.168.3.154 255.255.255.224
inet alias 192.168.3.155 255.255.255.224
inet alias 192.168.3.156 255.255.255.224
inet alias 192.168.3.157 255.255.255.224

backup firewall Carp0:
inet 192.168.3.65 255.255.255.224 192.168.3.95 vhid 1 carpdev fxp0 pass
tester1 advskew 100
inet alias 192.168.3.66 255.255.255.224
inet alias 192.168.3.67 255.255.255.224
inet alias 192.168.3.68 255.255.255.224
inet alias 192.168.3.69 255.255.255.224
inet alias 192.168.3.70 255.255.255.224
inet alias 192.168.3.71 255.255.255.224
inet alias 192.168.3.72 255.255.255.224
inet alias 192.168.3.73 255.255.255.224
inet alias 192.168.3.74 255.255.255.224
inet alias 192.168.3.75 255.255.255.224
inet alias 192.168.3.76 255.255.255.224
inet alias 192.168.3.77 255.255.255.224
inet alias 192.168.3.78 255.255.255.224
inet alias 192.168.3.79 255.255.255.224
inet alias 192.168.3.80 255.255.255.224
inet alias 192.168.3.81 255.255.255.224
inet alias 192.168.3.82 255.255.255.224
inet alias 192.168.3.83 255.255.255.224
inet alias 192.168.3.84 255.255.255.224
inet alias 192.168.3.85 255.255.255.224
inet alias 192.168.3.86 255.255.255.224
inet alias 192.168.3.87 255.255.255.224
inet alias 192.168.3.88 255.255.255.224
inet alias 192.168.3.89 255.255.255.224
inet alias 192.168.3.90 255.255.255.224
inet alias 192.168.3.91 255.255.255.224
inet alias 192.168.3.92 255.255.255.224
inet alias 192.168.3.93 255.255.255.224

backup firewall Carp1:
inet 192.168.3.129 255.255.255.224 192.168.3.159 vhid 2 carpdev fxp1 pass
tester2 advskew 100
inet alias 192.168.3.130 255.255.255.224
inet alias 192.168.3.131 255.255.255.224
inet alias 192.168.3.132 255.255.255.224
inet alias 192.168.3.133 255.255.255.224
inet alias 192.168.3.134 255.255.255.224
inet alias 192.168.3.135 255.255.255.224
inet alias 192.168.3.136 255.255.255.224
inet alias 192.168.3.137 255.255.255.224
inet alias 192.168.3.138 255.255.255.224
inet alias 192.168.3.139 255.255.255.224
inet alias 192.168.3.140 255.255.255.224
inet alias 192.168.3.141 255.255.255.224
inet alias 192.168.3.142 255.255.255.224
inet alias 192.168.3.143 255.255.255.224
inet alias 192.168.3.144 255.255.255.224
inet alias 192.168.3.145 255.255.255.224
inet alias 192.168.3.146 255.255.255.224
inet alias 192.168.3.147 255.255.255.224
inet alias 192.168.3.148 255.255.255.224
inet alias 192.168.3.149 255.255.255.224
inet alias 192.168.3.150 255.255.255.224
inet alias 192.168.3.151 255.255.255.224
inet alias 192.168.3.152 255.255.255.224
inet alias 192.168.3.153 255.255.255.224
inet alias 192.168.3.154 255.255.255.224
inet alias 192.168.3.155 255.255.255.224
inet alias 192.168.3.156 255.255.255.224
inet alias 192.168.3.157 255.255.255.224

The connectivity from the master firewall is perfect and the failover
seems to work great as well.  If i pull a wire from the switch, no more
than a second or two, the backup firewall is master on all carp
interfaces.

When i try to do anything network related on the backup firewall, when
it's in backup state i get net network unreachable as indicated earlier.

I can ping localhost, but nothing that actually gets on the wire seems to
work.

When i do tcpdump -nv -i fxp0 while pinging a host, there is _no_ icmp
traffic.  The only thing I see when I tcpdump on the backup firewall are
carp advertisements.

This is at this point, all being done with pf disabled.

I have verified that i have net.inet.carp.allow, net.inet.carp.preemtp
both set to one and net.inet.carp.arpbanalance set to 0 on both machines.



Any/all help appreciated.

Thanks in advance,

Aaron Martinez

Reply via email to